last sync: 2022-Aug-11 16:33:24 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Details (UTC ymd) (i)
Security Center3b1a8e0a-b2e1-48be-9365-28be2fbef550[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2022-08-09 17:24:03
change: Major (3.0.0 > 4.0.0)
Cognitive Servicescddd188c-4b82-4c48-a19d-ddf74ee66a01Cognitive Services should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Disabled)
2022-08-09 17:24:03
change: Major (2.0.0 > 3.0.0)
Security Centere9ac8f8e-ce22-4355-8f04-99b911d6be52Guest accounts with read permissions on Azure resources should be removedExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: e9ac8f8e-ce22-4355-8f04-99b911d6be52
Cosmos DBa63cc0bd-cda4-4178-b705-37dc439d3e0fConfigure CosmosDB accounts to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-08-09 17:24:03
change: Major (1.0.0 > 2.0.0)
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice belowDeploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2022-08-09 17:24:03
change: Major (2.0.1 > 3.0.0)
Security Centere3e008c3-56b9-4133-8fd7-d3347377402aAccounts with owner permissions on Azure resources should be MFA enabledMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: e3e008c3-56b9-4133-8fd7-d3347377402a
Monitoring7c4214e9-ea57-487a-b38e-310ec09bc21dDeploy a Data Collection Rule for VMInsights and Data Collection Rule Association for all Arc Machines in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0)
Security Centerc9ae938d-3d6f-4466-b7c3-351761d9c890[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
Cognitive Services47ba1dd7-28d9-4b07-a8d5-9813bed64e0cConfigure Cognitive Services accounts to disable public network accessDisable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Modify
Allowed: (Disabled, Modify)
Contributor
2022-08-09 17:24:03
change: Major (2.0.0 > 3.0.0)
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2022-08-09 17:24:03
change: Major (3.0.0 > 4.0.0)
Monitoringa0f27bdc-5b15-4810-b81d-7c4df9df1a37Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0)
Security Center30f52897-df47-4ca0-81a8-a3be3e8dd226[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
Security Centerc15c5978-ab6e-4599-a1c3-90a7918f5371[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cfConfigure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice belowEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-08-09 17:24:03
change: Patch (2.1.0 > 2.1.1)
Security Center8d7e1fde-fe26-4b5f-8108-f8e432cbc2beBlocked accounts with read and write permissions on Azure resources should be removedDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be
Service Buscbd11fd3-3002-4907-b6c8-579f0e700e13Service Bus Namespaces should disable public network accessAzure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-08-09 17:24:03
add: cbd11fd3-3002-4907-b6c8-579f0e700e13
Security Centera2ea54a3-9707-45e3-8230-bbda8309d17e[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-08-09 17:24:03
change: Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)
Monitoringc7f3bf36-b807-4f18-82dc-f480ad713635Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSS in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0)
Security Centeraba46665-c3a7-4319-ace1-a0282deebac2[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)
Security Center94e1c2ac-cbbe-4cac-a2b5-389c812dee87Guest accounts with write permissions on Azure resources should be removedExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 94e1c2ac-cbbe-4cac-a2b5-389c812dee87
Cognitive Servicesdb630ad5-52e9-4f4d-9c44-53912fe40053Configure Cognitive Services accounts with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Cognitive Services Contributor
2022-08-09 17:24:03
change: Major (2.1.0 > 3.0.0)
Security Center339353f6-2387-4a45-abe4-7f529d121046Guest accounts with owner permissions on Azure resources should be removedExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 339353f6-2387-4a45-abe4-7f529d121046
Security Center81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4Accounts with read permissions on Azure resources should be MFA enabledMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4
Security Center931e118d-50a1-4457-a5e4-78550e086c52Accounts with write permissions on Azure resources should be MFA enabledMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 931e118d-50a1-4457-a5e4-78550e086c52
Security Center9c0aa188-e5fe-4569-8f74-b6e155624d9a[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
Monitoring187242f4-89c6-4c43-9a4e-188c0efacc5fResource logs should be enabled for Audit on supported resourcesResource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-09 17:24:03
add: 187242f4-89c6-4c43-9a4e-188c0efacc5f
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-08-09 17:24:03
change: Minor, suffix remains equal (5.1.1-preview > 5.2.0-preview)
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics extension for Linux VMs. See deprecation notice belowDeploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed: deployIfNotExistsLog Analytics Contributor
2022-08-05 16:32:22
change: Major (2.0.1 > 3.0.0)
Security Center0cfea604-3201-4e14-88fc-fae4c427a6c5Blocked accounts with owner permissions on Azure resources should be removedDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-08-05 16:32:22
add: 0cfea604-3201-4e14-88fc-fae4c427a6c5
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caCognitive Services accounts should disable public network accessDisabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-08-05 16:32:22
change: Major (2.0.0 > 3.0.0)
Cognitive Services037eea7a-bd0a-46c5-9a66-03aea78705d3Cognitive Services accounts should restrict network accessNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-08-05 16:32:22
change: Major (2.0.0 > 3.0.0)
Lab Services0fd9915e-cab3-4f24-b200-6e20e1aa276aLab Services should require non-admin user for labsThis policy requires non-admin user accounts to be created for the labs managed through lab-services. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0)
Lab Servicesa6e9cf2d-7d76-440e-b795-8da246bd3aabLab Services should enable all options for auto shutdownThis policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0)
Container Apps783ea2a8-b8fd-46be-896a-9ae79643a0b1Container Apps should disable external network accessDisable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-07-29 16:32:46
change: Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview)
Compute8405fdab-1faf-48aa-b702-999c9c172094Managed disks should disable public network accessDisabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Audit
Allowed: (Audit, Disabled)
2022-07-29 16:32:46
change: Major (1.0.0 > 2.0.0)
Lab Servicese8a5a3eb-1ab6-4657-a701-7ae432cf14e1Lab Services should not allow template virtual machines for labsThis policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0)
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale setsDeploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Virtual Machine Contributor
2022-07-29 16:32:46
change: Patch (3.0.0 > 3.0.1)
Container Apps0e80e269-43a4-4ae9-b5bc-178126b8a5cbContainer Apps should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Container Apps2b585559-a78e-4cc4-b1aa-fb169d2f6b96Authentication should be enabled on Container AppsContainer Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Container Apps7c9f3fbb-739d-4844-8e42-97e3be6450e0Container App should configure with volume mountEnforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Container Appsd074ddf8-01a5-4b5e-a2b8-964aed452c0aContainer Apps environment should disable public network accessDisable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy - Configure Log Analytics extension to be enabled on Windows virtual machinesDeploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-29 16:32:46
change: Patch (3.0.0 > 3.0.1)
Container Appsb874ab2d-72dd-47f1-8cb5-4a306478a4e7Managed Identity should be enabled for Container AppsEnforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1)
Compute8426280e-b5be-43d9-979e-653d12a08638Configure managed disks to disable public network accessDisable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-07-29 16:32:46
change: Major (1.0.0 > 2.0.0)
Container Apps8b346db6-85af-419b-8557-92cee2c0f9bbContainer App environments should use network injectionContainer Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-29 16:32:46
change: Patch (1.0.1 > 1.0.2)
Lab Services3e13d504-9083-4912-b935-39a085db2249Lab Services should restrict allowed virtual machine SKU sizesThis policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0)
Machine Learninge413671a-dd10-4cc1-a943-45b598596cb7Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibilityAzure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-29 16:32:46
add: e413671a-dd10-4cc1-a943-45b598596cb7
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics extension on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-29 16:32:46
change: Patch (2.1.0 > 2.1.1)
Monitoring08a4470f-b26d-428d-97f4-7e3e9c92b366Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settingsEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-26 16:32:46
add: 08a4470f-b26d-428d-97f4-7e3e9c92b366
Monitoring89ca9cc7-25cd-4d53-97ba-445ca7a1f222Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settingsDeploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-26 16:32:46
add: 89ca9cc7-25cd-4d53-97ba-445ca7a1f222
Kubernetesa1840de2-8088-4ea8-b153-b4c723e9cb01Azure Kubernetes Service clusters should have Defender profile enabledMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
2022-07-26 16:32:46
change: Major (1.0.3 > 2.0.0)
Monitoringc7f3bf36-b807-4f18-82dc-f480ad713635Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSS in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-07-26 16:32:46
add: c7f3bf36-b807-4f18-82dc-f480ad713635
Cognitive Servicesdb630ad5-52e9-4f4d-9c44-53912fe40053Configure Cognitive Services accounts with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Cognitive Services Contributor
2022-07-26 16:32:46
change: Minor (2.0.0 > 2.1.0)
Monitoring2fea0c12-e7d4-4e03-b7bf-c34b2b8d787dDeploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settingsDeploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-07-26 16:32:46
add: 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d
Monitoring84cfed75-dfd4-421b-93df-725b479d356aConfigure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settingsEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-26 16:32:46
add: 84cfed75-dfd4-421b-93df-725b479d356a
Monitoringaf0082fd-fa58-4349-b916-b0e47abb0935Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settingsDeploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-07-26 16:32:46
add: af0082fd-fa58-4349-b916-b0e47abb0935
Monitoring7c4214e9-ea57-487a-b38e-310ec09bc21dDeploy a Data Collection Rule for VMInsights and Data Collection Rule Association for all Arc Machines in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-07-26 16:32:46
add: 7c4214e9-ea57-487a-b38e-310ec09bc21d
Monitoringd55b81e1-984f-4a96-acab-fae204e3ca7fDeploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settingsDeploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-26 16:32:46
add: d55b81e1-984f-4a96-acab-fae204e3ca7f
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-07-26 16:32:46
change: Major (3.1.1 > 4.0.0)
Monitoringa0f27bdc-5b15-4810-b81d-7c4df9df1a37Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource GroupDeploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-07-26 16:32:46
add: a0f27bdc-5b15-4810-b81d-7c4df9df1a37
Azure Active Directory2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28Azure Active Directory should use private link to access Azure servicesAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-22 16:34:49
add: 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28
Kubernetes4f3823b6-6dac-4b5a-9c61-ce1afb829f17Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClassThe Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-22 16:34:49
add: 4f3823b6-6dac-4b5a-9c61-ce1afb829f17
Azure Active Directory7e4301f9-5f32-4738-ad9f-7ec2d15563adConfigure Private Link for Azure AD to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-07-22 16:34:49
add: 7e4301f9-5f32-4738-ad9f-7ec2d15563ad
Azure Active Directoryb923afcf-4c3a-4ed6-8386-1ff64b68de47Configure Private Link for Azure AD with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-07-22 16:34:49
add: b923afcf-4c3a-4ed6-8386-1ff64b68de47
SQL80ed5239-4122-41ed-b54a-6f1fa7552816Configure Advanced Threat Protection to be enabled on Azure database for MySQL serversEnable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1)
SQLa6cf7411-da9e-49e2-aec0-cba0250eaf8cConfigure Advanced Threat Protection to be enabled on Azure database for MariaDB serversEnable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1)
SQLdb048e65-913c-49f9-bb5f-1084184671d3Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL serversEnable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1)
SQL6134c3db-786f-471e-87bc-8f479dc890f6Deploy Advanced Data Security on SQL serversThis policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed: DeployIfNotExistsSQL Security Manager
Storage Account Contributor
2022-07-22 16:34:49
change: Minor (1.2.0 > 1.3.0)
SQL9dfea752-dd46-4766-aed1-c355fa93fb91Azure SQL Managed Instances should disable public network accessDisabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-22 16:34:49
add: 9dfea752-dd46-4766-aed1-c355fa93fb91
Container Registry785596ed-054f-41bc-aaec-7f3d0ba05725Configure container registries to disable ARM audience token authentication.Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-07-15 16:32:44
add: 785596ed-054f-41bc-aaec-7f3d0ba05725
Network2d21331d-a4c2-4def-a9ad-ee4e1e023bebApp Service apps should use a virtual network service endpointUse virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-15 16:32:44
change: Major (1.0.0 > 2.0.0)
Health Bot4d080fa5-a6d2-4f98-ba9c-f482d0d335c0Azure Health Bots should use customer-managed keys to encrypt data at restUse customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk Default: Audit
Allowed: (Audit, Disabled)
2022-07-15 16:32:44
add: 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0
Container Instance8af8f826-edcb-4178-b35f-851ea6fea615Azure Container Instance container group should deploy into a virtual networkSecure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-15 16:32:44
change: Major (1.0.0 > 2.0.0)
Container Registry42781ec6-6127-4c30-bdfa-fb423a0047d3Container registries should have ARM audience token authentication disabled.Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-15 16:32:44
add: 42781ec6-6127-4c30-bdfa-fb423a0047d3
App Service847ef871-e2fe-4e6e-907e-4adbf71de5cfApp Service app slots should have local authentication methods disabled for SCM site deploymentsDisabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-15 16:32:44
change: Patch (1.0.1 > 1.0.2)
Kubernetesa2abc456-f0ae-464b-bd3a-07a3cdbd7fb1Kubernetes cluster Windows containers should not overcommit cpu and memoryWindows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
change: Patch (1.0.1 > 1.0.2)
Internet of Thingsd02e48d5-28d9-40d3-8ab8-301932a6f9cbModify - Configure IoT Central to disable public network accessDisabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-07-08 16:32:07
add: d02e48d5-28d9-40d3-8ab8-301932a6f9cb
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Major (3.3.1 > 4.0.0)
Network632d3993-e2c0-44ea-a7db-2eca131f356dWeb Application Firewall (WAF) should enable all firewall rules for Application GatewayEnabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
add: 632d3993-e2c0-44ea-a7db-2eca131f356d
Fluid Relay46388f67-373c-4018-98d3-2b83172dd13aFluid Relay should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. Default: Audit
Allowed: (Audit, Disabled)
2022-07-08 16:32:07
add: 46388f67-373c-4018-98d3-2b83172dd13a
Internet of Things9ace2dbc-4b71-48b6-b2a7-428b0b2e3944IoT Central should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
add: 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944
API Managementc15dcc82-b93c-4dcb-9332-fbf121685b54API Management calls to API backends should be authenticatedCalls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1)
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Patch (6.2.0 > 6.2.1)
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Microsoft Defender for Cloud dataEnable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-07-08 16:32:07
change: Minor (4.0.1 > 4.1.0)
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
change: Major, suffix remains equal (1.0.3-preview > 2.0.0-preview)
API Management549814b6-3212-4203-bdc8-1548d342fb67API Management minimum API version should be set to 2019-12-01 or higherTo prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Major (4.2.1 > 5.0.0)
Azure Databricks0e7849de-b939-4c50-ab48-fc6b0f5eeba2Azure Databricks Workspaces should disable public network accessAzure Databricks Workspaces should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
add: 0e7849de-b939-4c50-ab48-fc6b0f5eeba2
API Management92bb331d-ac71-416a-8c91-02f2cb734ce4API Management calls to API backends should not bypass certificate thumbprint or name validationCalls from API Management to API backends should validate certificate thumbprint and certificate name. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1)
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics extension on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-08 16:32:07
change: Minor (2.0.1 > 2.1.0)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-07-08 16:32:07
change: Major, suffix remains equal (6.1.2-preview > 7.0.0-preview)
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cfConfigure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice belowEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-07-08 16:32:07
change: Minor (2.0.1 > 2.1.0)
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Major (6.2.0 > 7.0.0)
Internet of Thingsd627d7c6-ded5-481a-8f2e-7e16b1e6faf6Deploy - Configure IoT Central to use private DNS zonesAzure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2022-07-08 16:32:07
add: d627d7c6-ded5-481a-8f2e-7e16b1e6faf6
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Major (6.1.0 > 7.0.0)
API Managementee7495e7-3ba7-40b6-bfee-c29e22cc75d4API Management APIs should use encrypted protocols onlyAPIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
change: Patch (2.0.0 > 2.0.1)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-08 16:32:07
change: Major, suffix remains equal (5.0.3-preview > 6.0.0-preview)
Managed Identityd367bd60-64ca-4364-98ea-276775bddd94[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual MachinesCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-07-08 16:32:07
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Guest Configuration828ba269-bf7f-4082-83dd-633417bc391dConfigure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows serversCreates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows server Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-07-08 16:32:07
add: 828ba269-bf7f-4082-83dd-633417bc391d
Internet of Thingscd870362-211d-4cad-9ad9-11e5ea4ebbc1Public network access should be disabled for IoT CentralTo improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-08 16:32:07
add: cd870362-211d-4cad-9ad9-11e5ea4ebbc1
Internet of Things5b9d063f-c5fd-4750-a489-1258d1fefcbfConfigure Azure Device Update for IoT Hub accounts with private endpointA private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2022-07-08 16:32:07
change: Minor (1.0.0 > 1.1.0)
API Managementf1cc7827-022c-473e-836e-5a51cae0b249API Management Named Values secrets should be stored in Azure KeyVaultSecrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1)
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-08 16:32:07
change: Major (6.1.0 > 7.0.0)
Managed Identity516187d4-ef64-4a1b-ad6b-a7348502976c[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale SetsCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-07-08 16:32:07
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Microsoft Defender for Cloud dataEnable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-07-08 16:32:07
change: Minor (4.0.1 > 4.1.0)
API Managementb741306c-968e-4b67-b916-5675e5c709f4API Management direct API Management endpoint should not be enabledAzure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1)
Internet of Thingsc854b0f0-02d0-4f94-9b42-fd175fbd4d49Deploy - Configure IoT Central with private endpointsA private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2022-07-08 16:32:07
add: c854b0f0-02d0-4f94-9b42-fd175fbd4d49
App Service91a78b24-f231-4a8a-8da9-02c35b2b6510App Service apps should have resource logs enabledAudit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1)
App Service7238174a-fd10-4ef0-817e-fc820a951d73Function apps that use Python should use the latest 'Python version'Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps since Python is not supported on Windows apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (3.0.0 > 4.0.0)
App Service5744710e-cc2f-4ee8-8809-3b11e89f4bc9App Service apps should not have CORS configured to allow every resource to access your appsCross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-07-01 16:32:34
change: Patch, new suffix: preview (6.1.1 > 6.1.2-preview)
App Service74c3584d-afae-46f7-a20a-6f8adba71a16[Deprecated]: API apps that use Python should use the latest 'Python version'Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)
App Service0da106f2-4ca3-48e8-bc85-c638fe6aea8fFunction apps should use managed identityUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Service4d24b6d4-5e53-4a4f-a7f4-618fa573ee4bApp Service apps should require FTPS onlyEnable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Serviceb318f84a-b872-429b-ac6d-a01b96814452Configure App Service apps to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Major (4.2.1 > 5.0.0)
App Service95bccee9-a7f8-4bec-9ee9-62c3473701fcApp Service apps should have authentication enabledAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1)
App Service7008174a-fd10-4ef0-817e-fc820a951d73App Service apps that use Python should use the latest 'Python version'Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (3.0.0 > 4.0.0)
App Service496223c3-ad65-4ecd-878a-bae78737e9edApp Service apps that use Java should use the latest 'Java version'Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Service2c034a29-2a5f-4857-b120-f800fe5549aeConfigure App Service app slots to disable local authentication for SCM sitesDisable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Servicefb74e86f-d351-4b8d-b034-93da7391c01fApp Service Environment should have internal encryption enabledSetting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Patch (6.0.1 > 6.0.2)
App Service5bb220d9-2698-4ee4-8404-b9c30c9df609App Service apps should have 'Client Certificates (Incoming client certificates)' enabledClient certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Service72d04c29-f87d-4575-9731-419ff16a2757App Service apps should be injected into a virtual networkInjecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Service8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e[Deprecated]: Latest TLS version should be used in your API AppUpgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated)
App Servicedcbc65aa-59f3-4239-8978-3bb869d82604App Service apps should use an Azure file share for its content directoryThe content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
Kubernetes6c66c325-74c8-42fd-a286-a74b0e2939d8Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspaceDeploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Servicec4ebc54a-46e1-481a-bee2-d4411e95d828[Deprecated]: Authentication should be enabled on your API appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Serviced6545c6b-dd9d-4265-91e6-0b451e2f1c50App Service Environment should have TLS 1.0 and 1.1 disabledTLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1)
App Service0c192fe8-9cbb-4516-85b3-0ade8bd03886[Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabledClient certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Serviceec71c0bc-6a45-4b1f-9587-80dc83e6898cApp Service app slots should have local authentication methods disabled for FTP deploymentsDisabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Serviceeaebaea7-8013-4ceb-9d14-7eb32271373cFunction apps should have 'Client Certificates (Incoming client certificates)' enabledClient certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Major (1.0.1 > 2.0.0)
App Service0820b7b9-23aa-4725-a1ce-ae4558f718e5Function apps should not have CORS configured to allow every resource to access your appsCross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cFunction apps should use latest 'HTTP Version'Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Servicef493116f-3b7f-4ab3-bf80-0c2af35e46c2Configure App Service app slots to disable local authentication for FTP deploymentsDisable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Service991310cd-e9f3-47bc-b7b6-f57b557d07db[Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeApp Service apps should use latest 'HTTP Version'Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcFunction apps that use Java should use the latest 'Java version'Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Service2b9ad585-36bc-4615-b300-fd4435808332App Service apps should use managed identityUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Service5e97b776-f380-4722-a9a3-e7f0be029e79Configure App Service apps to disable local authentication for SCM sitesDisable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Service847ef871-e2fe-4e6e-907e-4adbf71de5cfApp Service app slots should have local authentication methods disabled for SCM site deploymentsDisabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Serviceaede300b-d67f-480a-ae26-4b3dfb1a1fdcApp Service apps should have local authentication methods disabled for SCM site deploymentsDisabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch, new suffix: preview (5.0.2 > 5.0.3-preview)
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Major (3.1.1 > 4.0.0)
App Service9a1b8c48-453a-4044-86c3-d8bfd823e4f5[Deprecated]: FTPS only should be required in your API AppEnable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
App Service6d555dd1-86f2-4f1c-8ed7-5abae7c6cbabFunction apps should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Servicee9c8d085-d9cc-4b17-9cdc-059f1f01f19e[Deprecated]: Remote debugging should be turned off for API AppsRemote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service871b205b-57cf-4e1e-a234-492616998bf7App Service apps should have local authentication methods disabled for FTP deploymentsDisabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Service0e60b895-3786-45da-8377-9c6b4b6ac5f9Function apps should have remote debugging turned offRemote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Servicef9d614c5-c173-4d56-95a7-b4437057d193Function apps should use the latest TLS versionUpgrade to the latest TLS version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Patch (5.0.1 > 5.0.2)
App Servicef0e6e85b-9b9f-4a4b-b67b-f730d42f1b0bApp Service apps should use the latest TLS versionUpgrade to the latest TLS version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Service88999f4c-376a-45c8-bcb3-4058f713cf39[Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
App Service687aa49d-0982-40f8-bf6b-66d1da97a04bApp Service apps should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Major (7.2.0 > 8.0.0)
App Service7261b898-8a84-4db8-9e04-18527132abb3App Service apps that use PHP should use the latest 'PHP version'Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.2.0 > 3.0.0)
App Servicec75248c1-ea1d-4a9c-8fc9-29a6aabd5da8Function apps should have authentication enabledAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
App Servicec4d441f8-f9d9-4a9e-9cef-e82117cb3eef[Deprecated]: Managed identity should be used in your API AppUse a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
App Service324c7761-08db-4474-9661-d1039abc92ee[Deprecated]: API apps should use an Azure file share for its content directoryThe content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service399b2637-a50f-4f95-96f8-3a145476eb15Function apps should require FTPS onlyEnable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0)
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-07-01 16:32:34
change: Major (4.2.1 > 5.0.0)
App Service358c20a6-3f9e-4f0e-97ff-c6ce485e2aac[Deprecated]: CORS should not allow every resource to access your API AppCross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service4d0bc837-6eff-477e-9ecd-33bf8d4212a5Function apps should use an Azure file share for its content directoryThe content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
App Service572e342c-c920-4ef5-be2e-1ed3c6a51dc5Configure App Service apps to disable local authentication for FTP deploymentsDisable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1)
App Servicecb510bfd-1cba-4d9f-a230-cb0976f4bb71App Service apps should have remote debugging turned offRemote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0)
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-06-24 19:15:47
change: Minor (3.0.0 > 3.1.0)
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Microsoft Defender for Cloud alertsEnable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-06-24 19:15:47
change: Patch, old suffix: preview (3.1.0-preview > 3.1.1)
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy - Configure Dependency agent to be enabled on Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-06-24 19:15:47
change: Minor (3.0.0 > 3.1.0)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0)
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Microsoft Defender for Cloud dataEnable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-06-24 19:15:47
change: Patch (4.0.0 > 4.0.1)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-06-24 19:15:47
change: Patch, old suffix: preview (6.1.0-preview > 6.1.1)
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Microsoft Defender for Cloud recommendationsEnable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0)
Kubernetesa1840de2-8088-4ea8-b153-b4c723e9cb01Azure Kubernetes Service clusters should have Defender profile enabledMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
2022-06-24 19:15:47
change: Patch, old suffix: preview (1.0.2-preview > 1.0.3)
Guest Configurationf40c7c00-b4e3-4068-a315-5fe81347a904[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machinesThis policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-06-24 19:15:47
add: f40c7c00-b4e3-4068-a315-5fe81347a904
API Managementee7495e7-3ba7-40b6-bfee-c29e22cc75d4API Management APIs should use encrypted protocols onlyAPIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-24 19:15:47
change: Major (1.0.0 > 2.0.0)
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2022-06-24 19:15:47
change: Major (2.0.0 > 3.0.0)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-06-24 19:15:47
change: Patch, old suffix: preview (5.0.1-preview > 5.0.2)
Kubernetes46238e2f-3f6f-4589-9f3f-77bed4116e67Azure Kubernetes Clusters should use Azure CNIAzure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Default: Audit
Allowed: (Audit, Disabled)
2022-06-24 19:15:47
add: 46238e2f-3f6f-4589-9f3f-77bed4116e67
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Microsoft Defender for Cloud dataEnable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-06-24 19:15:47
change: Patch (4.0.0 > 4.0.1)
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2022-06-24 19:15:47
change: Major (2.0.0 > 3.0.0)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0)
Security Center509122b9-ddd9-47ba-a5f1-d0dac20be63cDeploy Workflow Automation for Microsoft Defender for Cloud regulatory complianceEnable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (3.3.0 > 3.3.1)
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (3.1.0 > 3.1.1)
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1)
API Managementf1cc7827-022c-473e-836e-5a51cae0b249API Management Named Values secrets should be stored in Azure KeyVaultSecrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: f1cc7827-022c-473e-836e-5a51cae0b249
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1)
API Management3aa03346-d8c5-4994-a5bc-7652c2a2aef1API Management subscriptions should not be scoped at the All API scope.API Management subscriptions should be scoped at the product or individual API instead of all APIs, which could expose all APIs in the API Management instance. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: 3aa03346-d8c5-4994-a5bc-7652c2a2aef1
API Management92bb331d-ac71-416a-8c91-02f2cb734ce4API Management calls to API backends should not bypass certificate thumbprint or name validationCalls from API Management to API backends should validate certificate thumbprint and certificate name. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: 92bb331d-ac71-416a-8c91-02f2cb734ce4
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (6.0.1 > 6.0.2)
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-17 16:31:08
change: Major (1.1.0 > 2.0.0)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Major (4.2.0 > 6.0.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1)
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1)
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Major (3.2.0 > 4.0.1)
Kubernetesb1a9997f-2883-4f12-bdff-2280f99b5915Ensure cluster containers have readiness or liveness probes configuredThis policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-17 16:31:08
change: Major (1.1.0 > 2.0.0)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1)
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-17 16:31:08
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)
API Managementee7495e7-3ba7-40b6-bfee-c29e22cc75d4API Management APIs should use encrypted protocols onlyAPIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: ee7495e7-3ba7-40b6-bfee-c29e22cc75d4
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (3.0.0 > 3.0.1)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1)
API Managementb741306c-968e-4b67-b916-5675e5c709f4API Management direct API Management endpoint should not be enabledAzure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: b741306c-968e-4b67-b916-5675e5c709f4
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Major (7.2.0 > 8.0.0)
API Management549814b6-3212-4203-bdc8-1548d342fb67API Management minimum API version should be set to 2019-12-01 or higherTo prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-17 16:31:08
add: 549814b6-3212-4203-bdc8-1548d342fb67
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (7.0.0 > 7.0.1)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (6.0.0 > 6.0.1)
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (3.0.0 > 3.0.1)
API Managementc15dcc82-b93c-4dcb-9332-fbf121685b54API Management calls to API backends should be authenticatedCalls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-06-17 16:31:08
add: c15dcc82-b93c-4dcb-9332-fbf121685b54
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1)
Kubernetes50c83470-d2f0-4dda-a716-1938a4825f62Kubernetes cluster containers should only use allowed pull policyRestrict containers' pull policy to enforce containers to use only allowed images on deployments Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-17 16:31:08
change: Major (1.2.0 > 2.0.0)
Key Vault405c5871-3e91-4644-8a63-58e19d68ff5bAzure Key Vault should disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-10 16:31:21
add: 405c5871-3e91-4644-8a63-58e19d68ff5b
App Service546fe8d2-368d-4029-a418-6af48a7f61e5App Service apps should use a SKU that supports private linkWith supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-10 16:31:21
change: Major (2.0.0 > 3.0.0)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-10 16:31:21
change: Major (4.2.0 > 5.0.0)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-10 16:31:21
change: Major (7.1.0 > 8.0.0)
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy - Configure Dependency agent to be enabled on Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-10 16:31:21
change: Major (3.2.0 > 4.0.0)
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490Azure Key Vault should have firewall enabledEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-10 16:31:21
change: Major, old suffix: preview (2.0.0-preview > 3.0.0)
Storageb2982f36-99f2-4db5-8eff-283140c09693Storage accounts should disable public network accessTo improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-10 16:31:21
change: Patch (1.0.0 > 1.0.1)
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-10 16:31:21
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)
Storagea06d0189-92e8-4dba-b0c4-08d7669fce7dConfigure storage accounts to disable public network accessTo improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
Storage Account Contributor
2022-06-10 16:31:21
change: Patch (1.0.0 > 1.0.1)
Key Vaultac673a9a-f77d-4846-b2d8-a57f8e1c01dcConfigure key vaults to enable firewallEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default: Modify
Allowed: (Modify, Disabled)
Key Vault Contributor
2022-06-10 16:31:21
change: Minor, old suffix: preview (1.0.0-preview > 1.1.1)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-10 16:31:21
change: Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-10 16:31:21
change: Minor, suffix remains equal (6.0.1-preview > 6.1.0-preview)
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0)
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-10 16:31:21
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy - Configure Log Analytics extension to be enabled on Windows virtual machinesDeploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-06-10 16:31:21
change: Major (2.1.1 > 3.0.0)
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0)
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale setsDeploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Virtual Machine Contributor
2022-06-10 16:31:21
change: Major (2.1.1 > 3.0.0)
Kubernetes1ddac26b-ed48-4c30-8cc5-3a68c79b8001Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-editClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Disabled)
2022-06-10 16:31:21
change: Major (1.0.1 > 2.0.0)
Guest Configuration70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hostsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-06-07 16:30:19
add: 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f
Kubernetesa2abc456-f0ae-464b-bd3a-07a3cdbd7fb1Kubernetes cluster Windows containers should not overcommit cpu and memoryWindows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
change: Patch (1.0.0 > 1.0.1)
Security Center9c0aa188-e5fe-4569-8f74-b6e155624d9a[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Guest Configuratione79ffbda-ff85-465d-ab8e-7e58a557660f[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or laterRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-06-07 16:30:19
add: e79ffbda-ff85-465d-ab8e-7e58a557660f
Security Center37c043a6-6d64-656d-6465-b362dfeb354a[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machinesDeploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Security Centerc9ae938d-3d6f-4466-b7c3-351761d9c890[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center1ec9c2c2-6d64-656d-6465-3ec3309b8579[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machinesDeploys Microsoft Defender for Endpoint on applicable Windows VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Kubernetes65280eef-c8b4-425e-9aec-af55e55bf581Kubernetes cluster should not use naked podsBlock usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
add: 65280eef-c8b4-425e-9aec-af55e55bf581
Managed Identity516187d4-ef64-4a1b-ad6b-a7348502976c[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale SetsCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-06-07 16:30:19
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-07 16:30:19
change: Major (2.2.0 > 3.0.0)
App Servicea4af4a39-4135-47fb-b175-47fbdf85311dApp Service apps should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0)
Kubernetes50c83470-d2f0-4dda-a716-1938a4825f62Kubernetes cluster containers should only use allowed pull policyRestrict containers' pull policy to enforce containers to use only allowed images on deployments Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
change: Minor (1.1.0 > 1.2.0)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-07 16:30:19
change: Patch (6.0.0 > 6.0.1)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)
Security Centerac076320-ddcf-4066-b451-6154267e8ad2Enable Microsoft Defender for Cloud on your subscriptionIdentifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. Fixed: deployIfNotExistsSecurity Admin
2022-06-07 16:30:19
change: Patch (1.0.0 > 1.0.1)
Managed Identityd367bd60-64ca-4364-98ea-276775bddd94[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual MachinesCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-06-07 16:30:19
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
Security Centeraba46665-c3a7-4319-ace1-a0282deebac2[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center4eb909e7-6d64-656d-6465-2eeb297a1625[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machinesDeploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Security Centerd30025d0-6d64-656d-6465-67688881b632[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machinesDeploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Security Centerc15c5978-ab6e-4599-a1c3-90a7918f5371[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview)
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (3.0.3-preview > 3.1.0-preview)
Security Center30f52897-df47-4ca0-81a8-a3be3e8dd226[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (5.0.1-preview > 5.1.1-preview)
App Serviceb7ddfbdc-1260-477d-91fd-98bd9be789a6[Deprecated]: API App should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
2022-06-07 16:30:19
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Service6d555dd1-86f2-4f1c-8ed7-5abae7c6cbabFunction apps should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0)
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)
Security Center3b1a8e0a-b2e1-48be-9365-28be2fbef550[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Kubernetes57dde185-5c62-4063-b965-afbb201e9c1cKubernetes cluster Windows containers should only run with approved user and domain user groupControl the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
add: 57dde185-5c62-4063-b965-afbb201e9c1c
Kubernetes9a5f4e39-e427-4d5d-ae73-93db00328becKubernetes resources should have required annotationsEnsure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0)
Kubernetesb81f454c-eebb-4e4f-9dfe-dca060e8a8fd[Preview]: Kubernetes clusters should restrict creation of given resource typeGiven Kubernetes resource type should not be deployed in certain namespace. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Security Centera2ea54a3-9707-45e3-8230-bbda8309d17e[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-06-07 16:30:19
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-06-07 16:30:19
change: Major (3.2.0 > 4.0.0)
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.1-preview)
Storagec1d634a5-f73d-4cdd-889f-2cc7006eb47fConfigure a private DNS Zone ID for table_secondary groupIDConfigure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: c1d634a5-f73d-4cdd-889f-2cc7006eb47f
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0)
Storagebcff79fb-2b0d-47c9-97e5-3023479b00d1Configure a private DNS Zone ID for queue groupIDConfigure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: bcff79fb-2b0d-47c9-97e5-3023479b00d1
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsGuest Configuration Resource Contributor
2022-05-27 20:20:35
change: Major (1.1.0 > 2.0.0)
Storageb2982f36-99f2-4db5-8eff-283140c09693Storage accounts should disable public network accessTo improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-27 20:20:35
add: b2982f36-99f2-4db5-8eff-283140c09693
Storage75973700-529f-4de2-b794-fb9b6781b6b0Configure a private DNS Zone ID for blob groupIDConfigure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 75973700-529f-4de2-b794-fb9b6781b6b0
Security Centerc15c5978-ab6e-4599-a1c3-90a7918f5371[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-05-27 20:20:35
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Storaged19ae5f1-b303-4b82-9ca8-7682749faf0cConfigure a private DNS Zone ID for web_secondary groupIDConfigure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: d19ae5f1-b303-4b82-9ca8-7682749faf0c
Storage90bd4cb3-9f59-45f7-a6ca-f69db2726671Configure a private DNS Zone ID for dfs_secondary groupIDConfigure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 90bd4cb3-9f59-45f7-a6ca-f69db2726671
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (5.1.0 > 6.0.0)
Storaged847d34b-9337-4e2d-99a5-767e5ac9c582Configure a private DNS Zone ID for blob_secondary groupIDConfigure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: d847d34b-9337-4e2d-99a5-767e5ac9c582
Container Apps8b346db6-85af-419b-8557-92cee2c0f9bbContainer App environments should use network injectionContainer Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-05-27 20:20:35
change: Patch (1.0.0 > 1.0.1)
Compute2835b622-407b-4114-9198-6f7064cbe0dcDeploy default Microsoft IaaSAntimalware extension for Windows ServerThis policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed: deployIfNotExistsVirtual Machine Contributor
2022-05-27 20:20:35
change: Minor (1.0.0 > 1.1.0)
Compute9b597639-28e4-48eb-b506-56b05d366257Microsoft IaaSAntimalware extension should be deployed on Windows serversThis policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-27 20:20:35
change: Minor (1.0.0 > 1.1.0)
Storage028bbd88-e9b5-461f-9424-a1b63a7bee1aConfigure a private DNS Zone ID for table groupIDConfigure private DNS zone group to override the DNS resolution for a table groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 028bbd88-e9b5-461f-9424-a1b63a7bee1a
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (6.3.0 > 7.0.0)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (5.2.0 > 6.0.0)
Storageda9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6Configure a private DNS Zone ID for queue_secondary groupIDConfigure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6
Storagea06d0189-92e8-4dba-b0c4-08d7669fce7dConfigure storage accounts to disable public network accessTo improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
Storage Account Contributor
2022-05-27 20:20:35
add: a06d0189-92e8-4dba-b0c4-08d7669fce7d
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0)
Maps50553764-7777-43cf-bf12-8647e0b9ba01CORS should not allow every resource to access your map account.Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account. Default: Audit
Allowed: (Disabled, Audit, Deny)
2022-05-27 20:20:35
add: 50553764-7777-43cf-bf12-8647e0b9ba01
Storage9adab2a5-05ba-4fbd-831a-5bf958d04218Configure a private DNS Zone ID for web groupIDConfigure private DNS zone group to override the DNS resolution for a web groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 9adab2a5-05ba-4fbd-831a-5bf958d04218
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (3.1.0 > 4.0.0)
Storage83c6fe0f-2316-444a-99a1-1ecd8a7872caConfigure a private DNS Zone ID for dfs groupIDConfigure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 83c6fe0f-2316-444a-99a1-1ecd8a7872ca
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0)
Storage6df98d03-368a-4438-8730-a93c4d7693d6Configure a private DNS Zone ID for file groupIDConfigure private DNS zone group to override the DNS resolution for a file groupID private endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-05-27 20:20:35
add: 6df98d03-368a-4438-8730-a93c4d7693d6
Key Vault86810a98-8e91-4a44-8386-ec66d0de5d57[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: 86810a98-8e91-4a44-8386-ec66d0de5d57
Attestation5e7e928c-8693-4a23-9bf3-1c77b9a8fe97Azure Attestation providers should disable public network accessTo improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97
Web PubSubeb907f70-7514-460d-92b3-a5ae93b4f917Azure Web PubSub Service should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default: Audit
Allowed: (Audit, Disabled)
2022-05-23 08:52:47
add: eb907f70-7514-460d-92b3-a5ae93b4f917
SignalR2393d2cf-a342-44cd-a2e2-fe0188fd1234Azure SignalR Service should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Disabled)
2022-05-23 08:52:47
add: 2393d2cf-a342-44cd-a2e2-fe0188fd1234
Key Vault1d478a74-21ba-4b9f-9d8f-8e6fced0eec5[Preview]: Azure Key Vault Managed HSM keys should have an expiration dateCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5
Key Vaulte58fd0c1-feac-4d12-92db-0a7e9421f53e[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: e58fd0c1-feac-4d12-92db-0a7e9421f53e
Managed Identity516187d4-ef64-4a1b-ad6b-a7348502976c[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale SetsCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-05-23 08:52:47
add: 516187d4-ef64-4a1b-ad6b-a7348502976c
Kubernetesb81f454c-eebb-4e4f-9dfe-dca060e8a8fd[Preview]: Kubernetes clusters should restrict creation of given resource typeGiven Kubernetes resource type should not be deployed in certain namespace. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: b81f454c-eebb-4e4f-9dfe-dca060e8a8fd
Managed Identityd367bd60-64ca-4364-98ea-276775bddd94[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual MachinesCreate and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
User Access Administrator
2022-05-23 08:52:47
add: d367bd60-64ca-4364-98ea-276775bddd94
Key Vaultad27588c-0198-4c84-81ef-08efd0274653[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
add: ad27588c-0198-4c84-81ef-08efd0274653
Machine Learning438c38d2-3772-465a-a9cc-7a6666a275ceAzure Machine Learning workspaces should disable public network accessDisabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-23 08:52:47
change: Major (1.3.0 > 2.0.0)
Container Apps0e80e269-43a4-4ae9-b5bc-178126b8a5cbContainer Apps should only be accessible over HTTPSUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: 0e80e269-43a4-4ae9-b5bc-178126b8a5cb
Internet of Thingsa222b93a-e6c2-4c01-817f-21e092455b2aConfigure Azure Device Update for IoT Hub accounts to use private DNS zonesAzure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2022-05-16 16:31:13
add: a222b93a-e6c2-4c01-817f-21e092455b2a
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1bConfigure machines to receive a vulnerability assessment providerAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2022-05-16 16:31:13
change: Major, old suffix: preview (3.1.0-preview > 4.0.0)
Container Appsb874ab2d-72dd-47f1-8cb5-4a306478a4e7Managed Identity should be enabled for Container AppsEnforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: b874ab2d-72dd-47f1-8cb5-4a306478a4e7
Internet of Things27573ebe-7ef3-4472-a8e1-33aef9ea65c5Configure Azure Device Update for IoT Hub accounts to disable public network accessDisabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-05-16 16:31:13
add: 27573ebe-7ef3-4472-a8e1-33aef9ea65c5
Container Apps2b585559-a78e-4cc4-b1aa-fb169d2f6b96Authentication should be enabled on Container AppsContainer Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-16 16:31:13
add: 2b585559-a78e-4cc4-b1aa-fb169d2f6b96
Container Apps7c9f3fbb-739d-4844-8e42-97e3be6450e0Container App should configure with volume mountEnforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: 7c9f3fbb-739d-4844-8e42-97e3be6450e0
Web PubSubee8a7be2-e9b5-47b9-9d37-d9b141ea78a4Azure Web PubSub Service should enable diagnostic logsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-16 16:31:13
add: ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4
Internet of Things510ec8b2-cb9e-461d-b7f3-6b8678c31182Public network access for Azure Device Update for IoT Hub accounts should be disabledDisabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: 510ec8b2-cb9e-461d-b7f3-6b8678c31182
SignalRd9f1f9a9-8795-49f9-9e7b-e11db14caeb2Azure SignalR Service should enable diagnostic logsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-16 16:31:13
add: d9f1f9a9-8795-49f9-9e7b-e11db14caeb2
SQLd9844e8a-1437-4aeb-a32c-0c992f056095Public network access should be disabled for MySQL serversDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0)
Bot Service5e8168db-69e3-4beb-9822-57cb59202a9dBot Service should have public network access disabledBots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: 5e8168db-69e3-4beb-9822-57cb59202a9d
SQLb52376f7-9612-48a1-81cd-1ffe4b61032cPublic network access should be disabled for PostgreSQL serversDisable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0)
Container Appsd074ddf8-01a5-4b5e-a2b8-964aed452c0aContainer Apps environment should disable public network accessDisable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: d074ddf8-01a5-4b5e-a2b8-964aed452c0a
SQLfdccbe47-f3e3-4213-ad5d-ea459b2fa077Public network access should be disabled for MariaDB serversDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0)
Internet of Things5b9d063f-c5fd-4750-a489-1258d1fefcbfConfigure Azure Device Update for IoT Hub accounts with private endpointA private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2022-05-16 16:31:13
add: 5b9d063f-c5fd-4750-a489-1258d1fefcbf
Container Apps783ea2a8-b8fd-46be-896a-9ae79643a0b1Container Apps should disable external network accessDisable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-16 16:31:13
add: 783ea2a8-b8fd-46be-896a-9ae79643a0b1
Monitoring58e891b9-ce13-4ac3-86e4-ac3e1f20cb07Configure Linux Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0)
Guest Configuration50c52fc9-cb21-4d99-9031-d6a0c613361c[Preview]: Windows machines should meet STIG compliance requirements for Azure computeRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-06 16:29:23
add: 50c52fc9-cb21-4d99-9031-d6a0c613361c
Monitoring56a3e4f8-649b-4fac-887e-5564d11e8d3aConfigure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0)
Container Apps8b346db6-85af-419b-8557-92cee2c0f9bbContainer App environments should use network injectionContainer Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-05-06 16:29:23
add: 8b346db6-85af-419b-8557-92cee2c0f9bb
Monitoringae8a10e6-19d6-44a3-a02d-a2bdfc707742Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0)
Monitoringa4034bc6-ae50-406d-bf76-50f4ee5a7811Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-05-06 16:29:23
change: Major (1.1.1 > 2.0.0)
Security Center6646a0bd-e110-40ca-bb97-84fcee63c414[Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates[Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-06 16:29:23
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
SQL86a912f6-9a06-4e26-b447-11b16ba8659fDeploy SQL DB transparent data encryptionEnables transparent data encryption on SQL databases Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL DB Contributor
2022-05-06 16:29:23
change: Minor (2.0.0 > 2.1.0)
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1bConfigure machines to receive a vulnerability assessment providerAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2022-05-06 16:29:23
change: Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)
Monitoring59c3d93f-900b-4827-a8bd-562e7b956e7cConfigure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0)
Monitoring050a90d5-7cce-483f-8f6c-0df462036ddaConfigure Linux Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0)
Kubernetesda6e2401-19da-4532-9141-fb8fbde08431Azure Kubernetes Service Clusters should use managed identitiesUse managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Default: Audit
Allowed: (Audit, Disabled)
2022-05-06 16:29:23
add: da6e2401-19da-4532-9141-fb8fbde08431
Monitoring2ea82cdd-f2e8-4500-af75-67a2e084ca74Configure Linux Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-05-06 16:29:23
change: Major (3.0.1 > 4.0.0)
Machine Learning438c38d2-3772-465a-a9cc-7a6666a275ceAzure Machine Learning workspaces should disable public network accessDisabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-05-06 16:29:23
change: Minor (1.2.0 > 1.3.0)
Monitoring32ade945-311e-4249-b8a4-a549924234d7Linux virtual machine scale sets should have Azure Monitor Agent installedLinux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0)
Monitoring1afdc4b6-581a-45fb-b630-f1e6051e3e7aLinux virtual machines should have Azure Monitor Agent installedLinux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (5.1.0 > 5.2.0)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0)
Update Management Center59efceea-0c96-497e-a4a1-4eb2290dac15[Preview]: Configure periodic checking for missing system updates on azure virtual machinesConfigure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed: modifyVirtual Machine Contributor
2022-04-29 18:06:01
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Synapsecb3738a6-82a2-4a18-b87b-15217b9deff4Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newerSetting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: cb3738a6-82a2-4a18-b87b-15217b9deff4
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0)
Lab Servicese8a5a3eb-1ab6-4657-a701-7ae432cf14e1Lab Services should not allow template virtual machines for labsThis policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: e8a5a3eb-1ab6-4657-a701-7ae432cf14e1
Kubernetes6c66c325-74c8-42fd-a286-a74b0e2939d8Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspaceDeploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-04-29 18:06:01
change: Major (1.0.0 > 2.0.0)
Update Management Centerbfea026e-043f-4ff4-9d1b-bf301ca7ff46[Preview]: Configure periodic checking for missing system updates on azure Arc-enabled serversConfigure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed: modifyAzure Connected Machine Resource Administrator
2022-04-29 18:06:01
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Lab Services3e13d504-9083-4912-b935-39a085db2249Lab Services should restrict allowed virtual machine SKU sizesThis policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: 3e13d504-9083-4912-b935-39a085db2249
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (6.2.0 > 6.3.0)
Kubernetesb1a9997f-2883-4f12-bdff-2280f99b5915Ensure cluster containers have readiness or liveness probes configuredThis policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
change: Minor (1.0.0 > 1.1.0)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-04-29 18:06:01
change: Major, suffix remains equal (5.1.0-preview > 6.0.0-preview)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (7.1.0 > 7.2.0)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (3.2.0 > 3.3.0)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (7.1.0 > 7.2.0)
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (6.1.0 > 6.2.0)
Kubernetes50c83470-d2f0-4dda-a716-1938a4825f62Kubernetes cluster containers should only use allowed pull policyRestrict containers' pull policy to enforce containers to use only allowed images on deployments Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
change: Minor (1.0.0 > 1.1.0)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0)
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0)
SignalR53503636-bcc9-4748-9663-5348217f160f[Deprecated]: Azure SignalR Service should use private linkThe policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
change: Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Lab Services0fd9915e-cab3-4f24-b200-6e20e1aa276aLab Services should require non-admin user for labsThis policy requires non-admin user accounts to be created for the labs managed through lab-services. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: 0fd9915e-cab3-4f24-b200-6e20e1aa276a
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Web PubSub52630df9-ca7e-442b-853b-c6ce548b31a2[Deprecated]: Azure Web PubSub Service should use private linkThe policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
change: Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0)
Lab Servicesa6e9cf2d-7d76-440e-b795-8da246bd3aabLab Services should enable all options for auto shutdownThis policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: a6e9cf2d-7d76-440e-b795-8da246bd3aab
Kubernetesa2abc456-f0ae-464b-bd3a-07a3cdbd7fb1Kubernetes cluster Windows containers should not overcommit cpu and memoryWindows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-29 18:06:01
add: a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0)
Synapse8b5c654c-fb07-471b-aa8f-15fea733f140Configure Azure Synapse Workspace Dedicated SQL minimum TLS versionCustomers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-04-29 18:06:01
add: 8b5c654c-fb07-471b-aa8f-15fea733f140
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-29 18:06:01
change: Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-22 19:50:54
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Monitoringc02729e5-e5e7-4458-97fa-2b5ad0661f28Windows virtual machines should have Azure Monitor Agent installedWindows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0)
Monitoring3672e6f7-a74d-4763-b138-fcf332042f8fWindows virtual machine scale sets should have Azure Monitor Agent installedWindows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0)
Kubernetes50c83470-d2f0-4dda-a716-1938a4825f62Kubernetes cluster containers should only use allowed pull policyRestrict containers' pull policy to enforce containers to use only allowed images on deployments Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-22 19:50:54
add: 50c83470-d2f0-4dda-a716-1938a4825f62
SQL5e1de0e3-42cb-4ebc-a86d-61d0c619ca48Public network access should be disabled for PostgreSQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0)
Storagefe83a0eb-a853-422d-aac2-1bffd182c5d0Storage accounts should have the specified minimum TLS versionConfigure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-22 19:50:54
add: fe83a0eb-a853-422d-aac2-1bffd182c5d0
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-04-22 19:50:54
change: Major, suffix remains equal (4.1.0-preview > 5.1.0-preview)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-15 17:17:14
change: Minor (6.1.0 > 6.2.0)
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4[Deprecated]: Azure Cache for Redis should reside within a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-04-15 17:17:14
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)
Security Centerd30025d0-6d64-656d-6465-67688881b632[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machinesDeploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center4eb909e7-6d64-656d-6465-2eeb297a1625[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machinesDeploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center37c043a6-6d64-656d-6465-b362dfeb354a[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machinesDeploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes73868911-4f4a-444f-adbd-5382bf70208aAzure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installedOpen Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Owner
2022-04-15 17:17:14
add: 73868911-4f4a-444f-adbd-5382bf70208a
Stream Analyticsea6c4923-510a-4346-be26-1894919a5b97Stream Analytics job should use managed identity to authenticate endpointsEnsure that Stream Analytics jobs only connect to endpoints using managed identity authentication. Default: Audit
Allowed: (Deny, Disabled, Audit)
2022-04-15 17:17:14
add: ea6c4923-510a-4346-be26-1894919a5b97
Security Center1ec9c2c2-6d64-656d-6465-3ec3309b8579[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machinesDeploys Microsoft Defender for Endpoint on applicable Windows VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Monitoring4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ffConfigure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-08 16:22:13
change: Patch (3.0.0 > 3.0.1)
Monitoring98569e20-8f32-4f31-bf34-0e91590ae9d3Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-08 16:22:13
add: 98569e20-8f32-4f31-bf34-0e91590ae9d3
Monitoring637125fd-7c39-4b94-bb0a-d331faf333a9Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-08 16:22:13
add: 637125fd-7c39-4b94-bb0a-d331faf333a9
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-08 16:22:13
change: Patch (4.0.0 > 4.0.1)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0)
Regulatory Complianced7d66d05-bf34-4555-b5f2-8b749def4098Microsoft Managed Control 1837 - Data Retention And Disposal | System ConfigurationMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: d7d66d05-bf34-4555-b5f2-8b749def4098
Stream Analytics87ba29ef-1ab3-4d82-b763-87fcd4f531f7Azure Stream Analytics jobs should use customer-managed keys to encrypt dataUse customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance68f837d0-8942-4b1e-9b31-be78b247bda8Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless NetworkingMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance9870806c-153f-4fa5-aafa-c5f5eeb72292Microsoft Managed Control 1741 - Enterprise ArchitectureMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 9870806c-153f-4fa5-aafa-c5f5eeb72292
Regulatory Compliance3044f5dc-93dd-4da0-b25d-bb6cedde3536Microsoft Managed Control 1862 - System of Records Notices And Privacy Act StatementsMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: 3044f5dc-93dd-4da0-b25d-bb6cedde3536
Regulatory Compliance4d1d4ce2-71ea-4578-bbb4-fe76215d45acMicrosoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 4d1d4ce2-71ea-4578-bbb4-fe76215d45ac
Monitoringea0dfaed-95fb-448c-934e-d6e713ce393dAzure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Complianced39620a4-95c6-4d4f-8aa4-83c0c6a2c640Microsoft Managed Control 1818 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: d39620a4-95c6-4d4f-8aa4-83c0c6a2c640
Monitoringfa298e57-9444-42ba-bf04-86e8470e32c7Saved-queries in Azure Monitor should be saved in customer storage account for logs encryptionLink storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance426f3a87-2d38-47e9-9687-c095441cd82cMicrosoft Managed Control 1732 - Information Security Program PlanMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 426f3a87-2d38-47e9-9687-c095441cd82c
Regulatory Compliance91c97b44-791e-46e9-bad7-ab7c4949edbbMicrosoft Managed Control 1069 - Wireless Access Restrictions | Authentication And EncryptionMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancee54c325e-42a0-4dcf-b105-046e0f6f590fMicrosoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And ResponseMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance80ca0a27-918a-4604-af9e-723a27ee51e8Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged AccountsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbefMicrosoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable CodeMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview)
Regulatory Compliancefb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42Microsoft Managed Control 1750 - Mission/Business Process DefinitionMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42
Regulatory Compliancead2f8e61-a564-4dfd-8eaa-816f5be8cb34Microsoft Managed Control 1569 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Monitoring6c53d030-cc64-46f0-906d-2bc061cd1334Log Analytics workspaces should block log ingestion and querying from public networksImprove workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliancef751cdb7-fbee-406b-969b-815d367cb9b3Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols...Microsoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancec3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003fMicrosoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website PublicationMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (7.0.1 > 7.1.0)
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Compliance952a545c-6dc5-4999-aeb6-51ed27dc7ea5Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information Microsoft implements this Security control Fixed: audit
2022-04-01 20:29:14
add: 952a545c-6dc5-4999-aeb6-51ed27dc7ea5
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0)
Regulatory Compliancea36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6Microsoft Managed Control 1745 - Risk Management StrategyMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Compliance0f559588-5e53-4b14-a7c4-85d28ebc2234Microsoft Managed Control 1430 - Media LabelingMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0)
Regulatory Compliance07458826-9325-4481-abaf-bc9ed043459dMicrosoft Managed Control 1744 - Risk Management StrategyMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 07458826-9325-4481-abaf-bc9ed043459d
Regulatory Compliance40fcc635-52a2-4dbc-9523-80a1f4aa1de6Microsoft Managed Control 1438 - Media Sanitization And DisposalMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance04f5fb00-80bb-48a9-a75b-4cb4d4c97c36Microsoft Managed Control 1572 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Monitoringd550e854-df1a-4de9-bf44-cd894b39a95eAzure Monitor Logs for Application Insights should be linked to a Log Analytics workspaceLink the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Complianceb11c985b-f2cd-4bd7-85f4-b52426edf905Microsoft Managed Control 1571 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance669ac708-82af-46f6-8bd6-75b48247489dMicrosoft Managed Control 1864 - System of Records Notices And Privacy Act StatementsMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: 669ac708-82af-46f6-8bd6-75b48247489d
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0)
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.1.2 > 2.2.0)
Regulatory Complianceea979184-f7c4-42be-86d2-584b95c34540Microsoft Managed Control 1869 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed: audit
2022-04-01 20:29:14
add: ea979184-f7c4-42be-86d2-584b95c34540
Regulatory Compliance3a02bf7a-8fb7-4c97-bd55-4a8592764cc8Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization TechniquesMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 3a02bf7a-8fb7-4c97-bd55-4a8592764cc8
Regulatory Complianced02e586f-d430-4053-b672-c14a788ad59fMicrosoft Managed Control 1823 - Data QualityMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: d02e586f-d430-4053-b672-c14a788ad59f
Regulatory Compliance01524fa8-4555-48ce-ba5f-c3b8dcef5147Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And ProceduresMicrosoft implements this Security Assessment and Authorization control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance27a69937-af92-4198-9b86-08d355c7e59aMicrosoft Managed Control 1074 - Access Control for Portable And Mobile SystemsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance5ec0d156-53ba-4f29-8c17-1525cde54129Microsoft Managed Control 1844 - ConsentMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 5ec0d156-53ba-4f29-8c17-1525cde54129
Regulatory Compliance39f15e01-d964-41ee-88e3-eefbddc840cdMicrosoft Managed Control 1846 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 39f15e01-d964-41ee-88e3-eefbddc840cd
Regulatory Compliancecf1cad59-1012-4b55-9b80-427596ea1f4fMicrosoft Managed Control 1867 - Dissemination of Privacy Program Information Microsoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: cf1cad59-1012-4b55-9b80-427596ea1f4f
Kubernetesc050047b-b21b-4822-8a2d-c1e37c3c0c6aConfigure Kubernetes clusters with specified GitOps configuration using SSH secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0)
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Compliance1437bf9c-feef-4c82-a57a-22d1fcbcd247Microsoft Managed Control 1872 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed: audit
2022-04-01 20:29:14
add: 1437bf9c-feef-4c82-a57a-22d1fcbcd247
Regulatory Compliance563f2ce4-2d95-44b6-b828-275a2f3cac47Microsoft Managed Control 1848 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 563f2ce4-2d95-44b6-b828-275a2f3cac47
Kubernetes1d61c4d2-aef2-432b-87fc-7f96b019b7e1Configure Kubernetes clusters with specified GitOps configuration using no secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bfCertificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Compliance51f2fa3e-cd5f-4713-a9ce-177ee7a22d48Microsoft Managed Control 1828 - Data Integrity And Data Integrity BoardMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 51f2fa3e-cd5f-4713-a9ce-177ee7a22d48
Regulatory Compliance9d9166a8-1722-4b8f-847c-2cf3f2618b3dMicrosoft Managed Control 1305 - User Identification And Authentication | Group AuthenticationMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance3bd38f52-1833-42b2-b9aa-e1b9dcd0143bMicrosoft Managed Control 1747 - Security Authorization ProcessMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 3bd38f52-1833-42b2-b9aa-e1b9dcd0143b
Regulatory Compliance7522ed84-70d5-4181-afc0-21e50b1b6d0eMicrosoft Managed Control 1417 - Remote Maintenance | Comparable Security / SanitizationMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance1189aa19-fbcf-4b3e-b9ec-76508e2fa17bMicrosoft Managed Control 1850 - Redress Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 1189aa19-fbcf-4b3e-b9ec-76508e2fa17b
Monitoring1bc02227-0cb6-4e11-8f53-eb0b22eab7e8Application Insights components should block log ingestion and querying from public networksImprove Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance2ce63a52-e47b-4ae2-adbb-6e40d967f9e6Microsoft Managed Control 1414 - Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0)
Regulatory Complianceb23bd715-5d1c-4e5c-9759-9cbdf79ded9dMicrosoft Managed Control 1091 - Security AwarenessMicrosoft implements this Awareness and Training control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance0a2119c1-f068-4bfe-9f03-db94317e8db9Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information Microsoft implements this Security control Fixed: audit
2022-04-01 20:29:14
add: 0a2119c1-f068-4bfe-9f03-db94317e8db9
Regulatory Compliance5f18c885-ade3-48c5-80b1-8f9216019c18Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security ControlsMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianceef080e67-0d1a-4f76-a0c5-fb9b0358485eMicrosoft Managed Control 1089 - Security AwarenessMicrosoft implements this Awareness and Training control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2d045bca-a0fd-452e-9f41-4ec33769717cMicrosoft Managed Control 1068 - Wireless Access RestrictionsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance855ced56-417b-4d74-9d5f-dd1bc81e22d6Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party...Microsoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-04-01 20:29:14
change: Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview)
Regulatory Compliancee12494fa-b81e-4080-af71-7dbacc2da0ecMicrosoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity ViolationsMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance4b0d8d1d-7800-4b62-b4bf-6eecde12b2afMicrosoft Managed Control 1813 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 4b0d8d1d-7800-4b62-b4bf-6eecde12b2af
Bot Service52152f42-0dda-40d9-976e-abb1acdd611eBot Service should have isolated mode enabledBots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.0 > 2.1.0)
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMsConfigure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
Managed Identity Contributor
Managed Identity Operator
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Complianceb6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged AccountsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance74520428-3aa8-449c-938d-93f51940759eMicrosoft Managed Control 1739 - Information System InventoryMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 74520428-3aa8-449c-938d-93f51940759e
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0)
Regulatory Complianced461dd50-c8fb-4ccb-93bf-61f53b44e54dMicrosoft Managed Control 1742 - Critical Infrastructure PlanMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: d461dd50-c8fb-4ccb-93bf-61f53b44e54d
Regulatory Complianceb6a8eae8-9854-495a-ac82-d2cd3eac02a6Microsoft Managed Control 1568 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance1f01608c-5f35-492d-8763-8edf0080cc38Microsoft Managed Control 1738 - Plan Of Action And Milestones ProcessMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 1f01608c-5f35-492d-8763-8edf0080cc38
Regulatory Compliance12718e41-af09-43b9-b6e4-7caae73b410bMicrosoft Managed Control 1754 - Testing, Training, And MonitoringMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 12718e41-af09-43b9-b6e4-7caae73b410b
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0)
Regulatory Compliancea4eb2ba5-62b5-4524-83f0-7e05896edc76Microsoft Managed Control 1824 - Data QualityMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: a4eb2ba5-62b5-4524-83f0-7e05896edc76
Key Vault12ef42cb-9903-4e39-9c26-422d29570417Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Complianceaf2a93c8-e6dd-4c94-acdd-4a2eedfc478eMicrosoft Managed Control 1710 - Security Functionality VerificationMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianceb92ae63b-4411-48ba-b5c9-5bcaef5f8d02Microsoft Managed Control 1841 - ConsentMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: b92ae63b-4411-48ba-b5c9-5bcaef5f8d02
Regulatory Compliance4e54c7ef-7457-430b-9a3e-ef8881d4a8e0Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv ProductsMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance32d58eb6-4c76-4881-87ce-522b0e787bd0Microsoft Managed Control 1735 - Information Security ResourcesMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 32d58eb6-4c76-4881-87ce-522b0e787bd0
Regulatory Compliance0b1aa965-7502-41f9-92be-3e2fe7cc392aMicrosoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile DeviceMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2Microsoft Managed Control 1804 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2
Regulatory Compliance2bfea08c-2567-4f29-aad7-0f238ce655eaMicrosoft Managed Control 1758 - Threat Awareness ProgramMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 2bfea08c-2567-4f29-aad7-0f238ce655ea
Regulatory Compliancecceea882-9d83-4ca6-b30e-6a7b381a8e6aMicrosoft Managed Control 1866 - Dissemination of Privacy Program Information Microsoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: cceea882-9d83-4ca6-b30e-6a7b381a8e6a
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0)
Regulatory Compliance66a56404-7b65-4e33-b371-28d069172dd4Microsoft Managed Control 1743 - Risk Management StrategyMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 66a56404-7b65-4e33-b371-28d069172dd4
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0)
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview)
Regulatory Compliance8a29d47b-8604-4667-84ef-90d203fcb305Microsoft Managed Control 1092 - Security Awareness | Insider ThreatMicrosoft implements this Awareness and Training control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
API for FHIR051cba44-2429-45b9-9649-46cec11c7119Azure API for FHIR should use a customer-managed key to encrypt data at restUse a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0)
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Compliancec6c43097-8552-4279-8b38-7dcabff781d3Microsoft Managed Control 1819 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: c6c43097-8552-4279-8b38-7dcabff781d3
Regulatory Compliance5c5e54f6-0127-44d0-8b61-f31dc8dd6190Microsoft Managed Control 1067 - Wireless Access RestrictionsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0)
Regulatory Compliance2e5cd188-7fa8-41fc-87ff-0ac7475ccb25Microsoft Managed Control 1845 - Consent | Mechanisms Supporting Itemized or Tiered Consent Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 2e5cd188-7fa8-41fc-87ff-0ac7475ccb25
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0)
Regulatory Compliance025992d6-7fee-4137-9bbf-2ffc39c0686cMicrosoft Managed Control 1709 - Security Functionality VerificationMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance71c6c2b1-78c8-4e84-9d05-9bd4db116cbaMicrosoft Managed Control 1858 - Privacy NoticeMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: 71c6c2b1-78c8-4e84-9d05-9bd4db116cba
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0)
Regulatory Compliance7c6de11b-5f51-4f7c-8d83-d2467c8a816eMicrosoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And ProceduresMicrosoft implements this Security Assessment and Authorization control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance898d4fe8-f743-4333-86b7-0c9245d93e7dMicrosoft Managed Control 1411 - Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbc[Deprecated]: Kubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor, suffix remains equal (6.1.3-deprecated > 6.2.0-deprecated)
Monitoringa4034bc6-ae50-406d-bf76-50f4ee5a7811Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
change: Patch (1.1.0 > 1.1.1)
Regulatory Compliance6bfe6405-805c-4c9b-a9d3-f209237bb95dMicrosoft Managed Control 1802 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 6bfe6405-805c-4c9b-a9d3-f209237bb95d
Regulatory Compliancee4df5fb7-58e9-41de-9399-f043c7a931f8Microsoft Managed Control 1740 - Information Security Measures Of PerformanceMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: e4df5fb7-58e9-41de-9399-f043c7a931f8
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (7.0.4 > 7.1.0)
API for FHIR0fea8f8a-4169-495d-8307-30ec335f387dCORS should not allow every domain to access your API for FHIRCross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance76f500cc-4bca-4583-bda1-6d084dc21086Microsoft Managed Control 1508 - Position CategorizationMicrosoft implements this Personnel Security control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance131a2706-61e9-4916-a164-00e052056462Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials...Microsoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.1.0 > 3.2.0)
Regulatory Compliance76ba3061-b78b-48a5-aab8-43f5ae02898dMicrosoft Managed Control 1847 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 76ba3061-b78b-48a5-aab8-43f5ae02898d
Healthcare APIsfe1c9040-c46a-4e81-9aea-c7850fbb3aa6CORS should not allow every domain to access your FHIR ServiceCross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance66632c7c-d0b3-4945-a8ae-e5c62cbea386Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on WebsiteMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 66632c7c-d0b3-4945-a8ae-e5c62cbea386
Regulatory Compliance38dfd8a3-5290-4099-88b7-4081f4c4d8aeMicrosoft Managed Control 1416 - Remote Maintenance | Document Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance33cfabfd-49ce-432b-b988-aff483ca3897Microsoft Managed Control 1871 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed: audit
2022-04-01 20:29:14
add: 33cfabfd-49ce-432b-b988-aff483ca3897
Event Gridd389df0a-e0d7-4607-833c-75a6fdac2c2dDeploy - Configure Azure Event Grid domains to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, Disabled)
Network Contributor
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Monitoring1f68a601-6e6d-4e42-babf-3f643a047ea2Azure Monitor Logs clusters should be encrypted with customer-managed keyCreate Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance2ef3cc79-733e-48ed-ab6f-7bf439e9b406Microsoft Managed Control 1000 - Access Control Policy And Procedures RequirementsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance0c92e78e-4667-44f1-8b1d-bbc784b66950Microsoft Managed Control 1755 - Contacts With Security Groups And AssociationsMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 0c92e78e-4667-44f1-8b1d-bbc784b66950
Regulatory Compliance05f5163b-bd90-49eb-8b6e-c1044d0b170aMicrosoft Managed Control 1752 - Information Security WorkforceMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 05f5163b-bd90-49eb-8b6e-c1044d0b170a
Regulatory Compliancedd469ae0-71a8-4adc-aafc-de6949ca3339Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity ViolationsMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancebaff1279-05e0-4463-9a70-8ba5de4c7aa4Microsoft Managed Control 1726 - Information Output Handling And RetentionMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance0dced7ab-9ce5-4137-93aa-14c13e06ab17Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable CodeMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Bot Service51522a96-0869-4791-82f3-981000c2c67fBot Service should be encrypted with a customer-managed keyAzure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance44e543aa-41db-42aa-98eb-8a5eb1db53f0Microsoft Managed Control 1712 - Software & Information IntegrityMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancef7161f06-5260-4f0f-aeae-4bbfb8612a10Microsoft Managed Control 1812 - Privacy Monitoring And Auditing Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: f7161f06-5260-4f0f-aeae-4bbfb8612a10
App Service95bccee9-a7f8-4bec-9ee9-62c3473701fcApp Service apps should have authentication enabledAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-01 20:29:14
change: Major (1.0.0 > 2.0.0)
Regulatory Compliance2d5600ed-575a-4723-9ff4-52d694be0a59Microsoft Managed Control 1856 - Privacy Incident Response Microsoft implements this Security control Fixed: audit
2022-04-01 20:29:14
add: 2d5600ed-575a-4723-9ff4-52d694be0a59
Regulatory Compliance65c11daf-e754-406e-8d7b-f337dbd46a4fMicrosoft Managed Control 1800 - Authority to CollectMicrosoft implements this Authority and Purpose control Fixed: audit
2022-04-01 20:29:14
add: 65c11daf-e754-406e-8d7b-f337dbd46a4f
Regulatory Compliance6519d7f3-e8a2-4ff3-a935-9a9497152ad7Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment TestingMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0)
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Kubernetesa6f560f4-f582-4b67-b123-a37dcd1bf7eaConfigure Kubernetes clusters with specified GitOps configuration using HTTPS secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0)
Monitoring59c3d93f-900b-4827-a8bd-562e7b956e7cConfigure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
add: 59c3d93f-900b-4827-a8bd-562e7b956e7c
Regulatory Compliance956b00aa-7977-4214-a0f5-e0428c1f9bffMicrosoft Managed Control 1806 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 956b00aa-7977-4214-a0f5-e0428c1f9bff
Regulatory Complianced2fc426a-4b67-464b-87c9-2134b8762ddfMicrosoft Managed Control 1817 - Privacy-Enhanced System Design And Development Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: d2fc426a-4b67-464b-87c9-2134b8762ddf
Regulatory Compliance28e633fd-284e-4ea7-88b4-02ca157ed713Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / SanitizationMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancedce72873-c5f1-47c3-9b4f-6b8207fd5a45Microsoft Managed Control 1439 - Media Sanitization And DisposalMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance4e26f8c3-4bf3-4191-b8fc-d888805101b7Microsoft Managed Control 1001 - Access Control Policy And Procedures RequirementsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianceaac17c36-2ac1-417f-ba74-6305f2ce6ad5Microsoft Managed Control 1859 - Privacy NoticeMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: aac17c36-2ac1-417f-ba74-6305f2ce6ad5
Azure Stack Edgeb4ac1030-89c5-4697-8e00-28b5ba6a8811Azure Stack Edge devices should use double-encryptionTo secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance70792197-9bfc-4813-905a-bd33993e327fMicrosoft Managed Control 1509 - Position CategorizationMicrosoft implements this Personnel Security control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2fb740e5-cbc7-4d10-8686-d1bf826652b1Microsoft Managed Control 1090 - Security AwarenessMicrosoft implements this Awareness and Training control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianceb07c9b24-729e-4e85-95fc-f224d2d08a80Microsoft Managed Control 1429 - Media LabelingMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancefd4a2ac8-868a-4702-a345-6c896c3361ceMicrosoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And AdvisoriesMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance88ae1753-f34c-47c3-96af-dccb4ac052ebMicrosoft Managed Control 1830 - Minimization of Personally Identifiable InformationMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 88ae1753-f34c-47c3-96af-dccb4ac052eb
Regulatory Compliance4c6df994-1810-44c9-bd35-3280397cf9a6Microsoft Managed Control 1868 - Internal UseMicrosoft implements this Use Limitation control Fixed: audit
2022-04-01 20:29:14
add: 4c6df994-1810-44c9-bd35-3280397cf9a6
Regulatory Compliancee17a106b-cf45-431e-89dc-da71e161c40cMicrosoft Managed Control 1801 - Purpose SpecificationMicrosoft implements this Authority and Purpose control Fixed: audit
2022-04-01 20:29:14
add: e17a106b-cf45-431e-89dc-da71e161c40c
Regulatory Complianceb2c2d6ed-bed8-419f-a8b7-59d736573acdMicrosoft Managed Control 1863 - System of Records Notices And Privacy Act StatementsMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: b2c2d6ed-bed8-419f-a8b7-59d736573acd
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888fCertificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Compliance7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6Microsoft Managed Control 1807 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor, suffix remains equal (4.0.2-deprecated > 4.1.0-deprecated)
Regulatory Compliance3bd6a378-4173-411d-a958-dc699b0ee2fdMicrosoft Managed Control 1737 - Plan Of Action And Milestones ProcessMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 3bd6a378-4173-411d-a958-dc699b0ee2fd
Regulatory Compliance5fd9ced5-18e8-4c09-91b7-3725680f8adeMicrosoft Managed Control 1734 - Information Security ResourcesMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 5fd9ced5-18e8-4c09-91b7-3725680f8ade
Cosmos DB0b7ef78e-a035-4f23-b9bd-aff122a1b1cfAzure Cosmos DB throughput should be limitedThis policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Complianceb083a535-a66a-41ec-ba7f-f9498bf67cdeMicrosoft Managed Control 1711 - Security Functionality VerificationMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianced922484a-8cfc-4a6b-95a4-77d6a685407fMicrosoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring PlanMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126Microsoft Managed Control 1751 - Insider Threat ProgramMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0)
Regulatory Compliance7a1e2c88-13de-4959-8ee7-47e3d74f1f48Microsoft Managed Control 1708 - Security Functionality VerificationMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Bot Service6164527b-e1ee-4882-8673-572f425f5e0aBot Service endpoint should be a valid HTTPS URIData can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0)
Regulatory Compliancefc933d22-04df-48ed-8f87-22a3773d4309Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based EncryptionMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance45b7b644-5f91-498e-9d89-7402532d3645Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In UseMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance5b61f773-2042-46a8-b489-106d850d6d4eMicrosoft Managed Control 1814 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 5b61f773-2042-46a8-b489-106d850d6d4e
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Regulatory Complianceaeedddb6-6bc0-42d5-809b-80048033419dMicrosoft Managed Control 1413 - Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2fd50ffd-c983-4fab-862c-678b95bfaf5aMicrosoft Managed Control 1832 - Minimization of Personally Identifiable InformationMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 2fd50ffd-c983-4fab-862c-678b95bfaf5a
Regulatory Compliance2234feec-08c6-4fc9-af78-df0dcc482efdMicrosoft Managed Control 1860 - Privacy NoticeMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: 2234feec-08c6-4fc9-af78-df0dcc482efd
Regulatory Compliance4c25cbd0-8776-412f-8466-5993e38ce602Microsoft Managed Control 1838 - Minimization of PII Used in Testing, Training, And ResearchMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 4c25cbd0-8776-412f-8466-5993e38ce602
Regulatory Compliancefb845c34-808d-4c17-a0ce-85a530e9164bMicrosoft Managed Control 1857 - Privacy Incident Response Microsoft implements this Security control Fixed: audit
2022-04-01 20:29:14
add: fb845c34-808d-4c17-a0ce-85a530e9164b
Event Gridbaf19753-7502-405f-8745-370519b20483Deploy - Configure Azure Event Grid topics to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, Disabled)
Network Contributor
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliancec055ec23-c9d1-4718-be96-433aa8108516Microsoft Managed Control 1826 - Data Quality | Re-Validate PIIMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: c055ec23-c9d1-4718-be96-433aa8108516
Regulatory Compliance8e903bb7-00e9-4255-a881-500742a2dbaaMicrosoft Managed Control 1843 - ConsentMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 8e903bb7-00e9-4255-a881-500742a2dbaa
Regulatory Compliance38512b01-6a68-45d6-bb97-189a9a0fbe5eMicrosoft Managed Control 1849 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 38512b01-6a68-45d6-bb97-189a9a0fbe5e
Regulatory Compliance4f8e271b-dfea-47e9-b81e-5519bae0b120Microsoft Managed Control 1852 - Compliant ManagementMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 4f8e271b-dfea-47e9-b81e-5519bae0b120
Regulatory Compliance1a437f5b-9ad6-4f28-8861-de404d511ae4Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By UsersMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance6ca71be3-16cb-4d39-8b50-7f8fd5e2f11bMicrosoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged AccountsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0)
Regulatory Compliancea7fcf38d-bb09-4600-be7d-825046eb162aMicrosoft Managed Control 1570 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (5.0.0 > 5.1.0)
Managed Application9db7917b-1607-4e7d-a689-bca978dd0633Application definition for Managed Application should use customer provided storage accountUse your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance4f26049b-2c5a-4841-9ff3-d48a26aae475Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive TechniquesMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance09828c65-e323-422b-9774-9d5c646124daMicrosoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged AccountsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance0f935dab-83d6-47b8-85ef-68b8584161b9Microsoft Managed Control 1574 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Regulatory Compliance99efece4-6828-42a4-9577-ff06bc1c4bf4Microsoft Managed Control 1839 - Minimization of PII Used in Testing, Training, And ResearchMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 99efece4-6828-42a4-9577-ff06bc1c4bf4
Regulatory Complianced78966ce-05c7-4967-829d-9a414ea2bc92Microsoft Managed Control 1842 - ConsentMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: d78966ce-05c7-4967-829d-9a414ea2bc92
Regulatory Compliance56a838e0-0a5d-49a8-ab74-bf6be81b32f5Microsoft Managed Control 1835 - Data Retention And DisposalMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 56a838e0-0a5d-49a8-ab74-bf6be81b32f5
Regulatory Compliance93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security ControlsMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance79da5b09-0e7e-499e-adda-141b069c7998Microsoft Managed Control 1510 - Position CategorizationMicrosoft implements this Personnel Security control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance238cef2f-9f76-41fa-be5e-0899a7aad0d8Microsoft Managed Control 1821 - Data QualityMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 238cef2f-9f76-41fa-be5e-0899a7aad0d8
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0)
Regulatory Complianced5f959a0-1808-4ebd-9a13-79237246f96fMicrosoft Managed Control 1861 - Privacy Notice | Real-Time or Layered NoticeMicrosoft implements this Transparency control Fixed: audit
2022-04-01 20:29:14
add: d5f959a0-1808-4ebd-9a13-79237246f96f
Kubernetes1b708b0a-3380-40e9-8b79-821f9fa224ccDisable Command Invoke on Azure Kubernetes Service clustersDisabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2022-04-01 20:29:14
add: 1b708b0a-3380-40e9-8b79-821f9fa224cc
Regulatory Compliance395736bb-aa8b-45f0-b9cc-06af26b2b1d4Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 395736bb-aa8b-45f0-b9cc-06af26b2b1d4
Regulatory Compliance3492d949-0dbb-4589-88b3-7b59601cc764Microsoft Managed Control 1412 - Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0)
Regulatory Compliance1ca29e41-34ec-4e70-aba9-6248aca18c31Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power LevelsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
App Servicec75248c1-ea1d-4a9c-8fc9-29a6aabd5da8Function apps should have authentication enabledAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-04-01 20:29:14
change: Major (1.0.0 > 2.0.0)
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.2 > 1.1.0)
Regulatory Compliance18573dd5-899f-453d-b069-fa77b61fe257Microsoft Managed Control 1870 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed: audit
2022-04-01 20:29:14
add: 18573dd5-899f-453d-b069-fa77b61fe257
Regulatory Compliancecafc6c3c-5fc5-4c5e-a99b-a0ccb1d34effMicrosoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay...Microsoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliancef5a44e7d-77a2-474e-b2e3-4e8c42ba514bMicrosoft Managed Control 1729 - Information Security Program PlanMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: f5a44e7d-77a2-474e-b2e3-4e8c42ba514b
Regulatory Compliancef475ee0e-f560-4c9b-876b-04a77460a404Microsoft Managed Control 1706 - Security Alerts & AdvisoriesMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Complianceab55cdb0-c7dd-4bd8-ae22-a7cea7594e9cMicrosoft Managed Control 1073 - Access Control for Portable And Mobile SystemsMicrosoft implements this Access Control control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance05a32666-d134-4842-a8cb-5c299f4bc099Microsoft Managed Control 1728 - Incident HandlingMicrosoft implements this Incident Response control Fixed: audit
2022-04-01 20:29:14
add: 05a32666-d134-4842-a8cb-5c299f4bc099
Kubernetes89f2d532-c53c-4f8f-9afa-4927b1114a0dAzure Kubernetes Service Clusters should disable Command InvokeDisabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Default: Audit
Allowed: (Audit, Disabled)
2022-04-01 20:29:14
add: 89f2d532-c53c-4f8f-9afa-4927b1114a0d
Key Vaultcee51871-e572-4576-855c-047c820360f0Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0)
Regulatory Compliance3cb4787b-2c91-4aca-bf5a-577e99411c8aMicrosoft Managed Control 1825 - Data Quality | Validate PIIMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 3cb4787b-2c91-4aca-bf5a-577e99411c8a
Regulatory Compliance4152937a-1a44-401a-a179-04b44ea15f4cMicrosoft Managed Control 1733 - Senior Information Security OfficerMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 4152937a-1a44-401a-a179-04b44ea15f4c
Regulatory Compliance0d87c70b-5012-48e9-994b-e70dd4b8def0Microsoft Managed Control 1713 - Software & Information Integrity | Integrity ChecksMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance1fa50212-51a9-471b-95cf-3a23410ec9e9Microsoft Managed Control 1730 - Information Security Program PlanMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 1fa50212-51a9-471b-95cf-3a23410ec9e9
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0)
Automanageb025cfb4-3702-47c2-9110-87fe0cfcc99bConfigure virtual machines to be onboarded to Azure Automanage with Custom Configuration ProfileAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
2022-04-01 20:29:14
add: b025cfb4-3702-47c2-9110-87fe0cfcc99b
Regulatory Compliancef3739612-c86c-4b2e-bbe6-0d0869aec19cMicrosoft Managed Control 1803 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: f3739612-c86c-4b2e-bbe6-0d0869aec19c
Regulatory Compliance71280b2a-8c2f-4480-b933-686c0987cfbbMicrosoft Managed Control 1851 - Redress Microsoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 71280b2a-8c2f-4480-b933-686c0987cfbb
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (6.1.2 > 6.2.0)
Regulatory Compliance58f477bf-287b-43ef-ab49-dffde92130a0Microsoft Managed Control 1816 - Privacy Reporting Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 58f477bf-287b-43ef-ab49-dffde92130a0
Regulatory Compliance99deec7d-5526-472e-b07c-3645a792026aMicrosoft Managed Control 1300 - User Identification And AuthenticationMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance5bef3414-50bc-4fc0-b3db-372bb8fe0796Microsoft Managed Control 1836 - Data Retention And DisposalMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 5bef3414-50bc-4fc0-b3db-372bb8fe0796
Regulatory Compliance881299bf-2a5b-4686-a1b2-321d33679953Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / VerifyMicrosoft implements this Media Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance12a4a4dd-6c65-4900-9d7e-63fed5da791eMicrosoft Managed Control 1834 - Data Retention And DisposalMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 12a4a4dd-6c65-4900-9d7e-63fed5da791e
Regulatory Compliance804faf7d-b687-40f7-9f74-79e28adf4205Microsoft Managed Control 1703 - Security Alerts & AdvisoriesMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2d44b6fa-1134-4ea6-ad4e-9edb68f65429Microsoft Managed Control 1704 - Security Alerts & AdvisoriesMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757Microsoft Managed Control 1746 - Security Authorization ProcessMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757
Regulatory Compliance86cd0591-5076-4447-aeff-2557def90353Microsoft Managed Control 1827 - Data Integrity And Data Integrity BoardMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 86cd0591-5076-4447-aeff-2557def90353
Regulatory Compliance59a7116d-19fd-49e9-a068-dec4460b97e5Microsoft Managed Control 1731 - Information Security Program PlanMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 59a7116d-19fd-49e9-a068-dec4460b97e5
Internet of Thingsc99ce9c1-ced7-4c3e-aca0-10e69ce0cb02Deploy - Configure Azure IoT Hubs to use private DNS zonesAzure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Network Contributor
Contributor
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Regulatory Compliance81817e1c-5347-48dd-965a-40159d008229Microsoft Managed Control 1308 - User Identification And Authentication | Remote Access - Separate DeviceMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance61a1dd98-b259-4840-abd5-fbba7ee0da83Microsoft Managed Control 1415 - Remote MaintenanceMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance3a09e314-dca7-4a19-b3b4-14abd6305043Microsoft Managed Control 1753 - Testing, Training, And MonitoringMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 3a09e314-dca7-4a19-b3b4-14abd6305043
Regulatory Complianced77fd943-6ba6-4a21-ba07-22b03e347cc4Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued ProfilesMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance6b04f815-52d7-4ff6-94bf-a4f22c07d5aeMicrosoft Managed Control 1809 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 6b04f815-52d7-4ff6-94bf-a4f22c07d5ae
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (5.0.0 > 5.1.0)
Regulatory Compliance106618ad-fe3e-49b4-bfef-01009f6770d8Microsoft Managed Control 1820 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 106618ad-fe3e-49b4-bfef-01009f6770d8
Regulatory Compliance4f3b7f51-9620-4c71-b887-48a6838c68b8Microsoft Managed Control 1748 - Security Authorization ProcessMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 4f3b7f51-9620-4c71-b887-48a6838c68b8
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0)
Regulatory Compliance58c93053-7b98-4cf0-b99f-1beb985416c2Microsoft Managed Control 1573 - Acquisitions ProcessMicrosoft implements this System and Services Acquisition control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Monitoring6fc8115b-2008-441f-8c61-9b722c1e537fWorkbooks should be saved to storage accounts that you controlWith bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos Default: Audit
Allowed: (deny, Deny, audit, Audit, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-04-01 20:29:14
change: Patch, suffix remains equal (3.0.2-preview > 3.0.3-preview)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (7.0.1 > 7.1.0)
Regulatory Compliance17641f70-94cd-4a5d-a613-3d1143e20e34Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved ProductsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance4edd8330-da6b-4f1e-b996-e064d8b92cb7Microsoft Managed Control 1833 - Minimization of Personally Identifiable Information | Locate/Remove/Redact/Anonymize PIIMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 4edd8330-da6b-4f1e-b996-e064d8b92cb7
Regulatory Compliance791cfc15-6974-42a0-9f4c-2d4b82f4a78cMicrosoft Managed Control 1647 - Use of CryptographyMicrosoft implements this System and Communications Protection control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance9834600a-668a-482c-9310-a89861b29e06Microsoft Managed Control 1805 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 9834600a-668a-482c-9310-a89861b29e06
Regulatory Compliance20ea0798-d19e-4925-afd0-53d583815818Microsoft Managed Control 1815 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: 20ea0798-d19e-4925-afd0-53d583815818
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (4.0.1 > 4.1.0)
Regulatory Compliance84e622c8-4bed-417c-84c6-b2fb0dd73682Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay...Microsoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bfMicrosoft Managed Control 1822 - Data QualityMicrosoft implements this Data Quality and Integrity control Fixed: audit
2022-04-01 20:29:14
add: 8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf
Regulatory Compliance6f29a2f0-ca59-4bdc-97a7-a8d593b60108Microsoft Managed Control 1853 - Compliant Management | Response TimesMicrosoft implements this Individual Participation and Redress control Fixed: audit
2022-04-01 20:29:14
add: 6f29a2f0-ca59-4bdc-97a7-a8d593b60108
Monitoringae8a10e6-19d6-44a3-a02d-a2bdfc707742Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
add: ae8a10e6-19d6-44a3-a02d-a2bdfc707742
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview)
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (2.0.2 > 2.1.0)
Regulatory Compliancef355d62b-39a8-4ba3-abf7-90f71cb3b000Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv CredentialsMicrosoft implements this Identification and Authentication control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0)
Regulatory Compliance1c0b3710-03dc-450a-a56a-77b85e744f0dMicrosoft Managed Control 1749 - Mission/Business Process DefinitionMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 1c0b3710-03dc-450a-a56a-77b85e744f0d
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Monitoring4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ffConfigure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
change: Major (2.0.0 > 3.0.0)
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
change: Major (3.0.0 > 4.0.0)
Regulatory Compliance6c657baf-0693-455a-8bb2-7b4bdf79fd0eMicrosoft Managed Control 1757 - Contacts With Security Groups And AssociationsMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 6c657baf-0693-455a-8bb2-7b4bdf79fd0e
Cosmos DB0473574d-2d43-4217-aefe-941fcdf7e684Azure Cosmos DB allowed locationsThis policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0)
Monitoring56a3e4f8-649b-4fac-887e-5564d11e8d3aConfigure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance3815d34a-187d-4f30-a9fa-5ac464e3465dMicrosoft Managed Control 1736 - Information Security ResourcesMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: 3815d34a-187d-4f30-a9fa-5ac464e3465d
Regulatory Compliancecd6120c1-d069-416d-9753-fbe84bca4b01Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control Fixed: audit
2022-04-01 20:29:14
add: cd6120c1-d069-416d-9753-fbe84bca4b01
Regulatory Compliancef82e3639-fa2b-4e06-a786-932d8379b972Microsoft Managed Control 1705 - Security Alerts & AdvisoriesMicrosoft implements this System and Information Integrity control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Regulatory Compliance51d53eb3-6c02-4f3f-a608-a058af96fa6aMicrosoft Managed Control 1831 - Minimization of Personally Identifiable InformationMicrosoft implements this Data Minimization and Retention control Fixed: audit
2022-04-01 20:29:14
add: 51d53eb3-6c02-4f3f-a608-a058af96fa6a
Regulatory Complianced4de5955-e00f-414d-9c16-f569c6a99c10Microsoft Managed Control 1756 - Contacts With Security Groups And AssociationsMicrosoft implements this Program Management control Fixed: audit
2022-04-01 20:29:14
add: d4de5955-e00f-414d-9c16-f569c6a99c10
Regulatory Complianceb6747bf9-2b97-45b8-b162-3c8becb9937dMicrosoft Managed Control 1419 - Remote Maintenance | Cryptographic ProtectionMicrosoft implements this Maintenance control Fixed: audit
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1)
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0)
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0)
CDNdaba2cce-8326-4af3-b049-81a362da024dSecure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App ServicePrivate link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. Default: Audit
Allowed: (Audit, Disabled)
2022-03-25 18:52:24
add: daba2cce-8326-4af3-b049-81a362da024d
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy - Configure Dependency agent to be enabled on Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-03-25 18:52:24
change: Minor (2.0.0 > 2.1.0)
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-03-25 18:52:24
change: Minor (2.0.0 > 2.1.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-03-25 18:52:24
change: Patch, suffix remains equal (3.0.1-preview > 3.0.2-preview)
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0)
CDNdfc212af-17ea-423a-9dcb-91e2cb2caa6bAzure Front Door profiles should use Premium tier that supports managed WAF rules and private linkAzure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-03-25 18:52:24
add: dfc212af-17ea-423a-9dcb-91e2cb2caa6b
CDN679da822-78a7-4eff-8fff-a899454a9970Azure Front Door Standard and Premium should be running minimum TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-03-25 18:52:24
add: 679da822-78a7-4eff-8fff-a899454a9970
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale setsDeploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Virtual Machine Contributor
2022-03-25 18:52:24
change: Minor (2.0.1 > 2.1.1)
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy - Configure Log Analytics extension to be enabled on Windows virtual machinesDeploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2022-03-25 18:52:24
change: Minor (2.0.1 > 2.1.1)
Storage06695360-db88-47f6-b976-7500d4297475Configure Azure File Sync to use private DNS zonesTo access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Private DNS Zone Contributor
Network Contributor
2022-03-18 17:53:47
change: Minor (1.0.0 > 1.1.0)
Kubernetes450d2877-ebea-41e8-b00c-e286317d21bfAzure Kubernetes Service Clusters should enable Azure Active Directory integrationAKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default: Audit
Allowed: (Audit, Disabled)
2022-03-18 17:53:47
add: 450d2877-ebea-41e8-b00c-e286317d21bf
Monitoringeab1f514-22e3-42e3-9a1f-e1dc9199355cConfigure Windows Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-18 17:53:47
change: Minor (2.0.1 > 2.1.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-03-18 17:53:47
change: Major, suffix remains equal (2.0.0-preview > 3.0.1-preview)
Update Management Centerba0df93e-e4ac-479a-aac2-134bbae39a1a[Preview]: Schedule recurring updates using Update Management CenterYou can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-03-18 17:53:47
add: ba0df93e-e4ac-479a-aac2-134bbae39a1a
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2022-03-18 17:53:47
change: Major (1.3.0 > 2.0.0)
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-03-18 17:53:47
change: Major (3.0.0 > 4.0.0)
Monitoring244efd75-0d92-453c-b9a3-7d73ca36ed52Configure Windows Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-18 17:53:47
change: Minor (1.0.1 > 1.1.0)
Monitoring0a3b9bf4-d30e-424a-af6b-9a93f6f78792Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-18 17:53:47
change: Minor (1.0.1 > 1.1.0)
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2022-03-18 17:53:47
change: Major (2.0.0 > 3.0.0)
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2022-03-18 17:53:47
change: Major (1.3.0 > 2.0.0)
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-03-18 17:53:47
change: Major (3.0.0 > 4.0.0)
Monitoringc24c537f-2516-4c2f-aac5-2cd26baa3d26Configure Windows Arc Machines to be associated with a Data Collection RuleDeploy Association to link Windows Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Monitoring050a90d5-7cce-483f-8f6c-0df462036ddaConfigure Linux Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Security Center82bf5b87-728b-4a74-ba4d-6123845cf542Configure Microsoft Defender for Azure Cosmos DB to be enabledMicrosoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2022-03-11 18:16:48
add: 82bf5b87-728b-4a74-ba4d-6123845cf542
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-03-11 18:16:48
change: Major (4.0.2 > 5.0.0)
Monitoring58e891b9-ce13-4ac3-86e4-ac3e1f20cb07Configure Linux Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Monitoringec621e21-8b48-403d-a549-fc9023d4747fWindows Arc-enabled machines should have Azure Monitor Agent installedWindows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Monitoring244efd75-0d92-453c-b9a3-7d73ca36ed52Configure Windows Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should be running TLS version 1.2 or newerSetting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled, Deny)
2022-03-11 18:16:48
change: Major (1.0.1 > 2.0.0)
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-03-11 18:16:48
change: Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)
Monitoring94f686d6-9a24-4e19-91f1-de937dc171a4Configure Windows Arc-enabled machines to run Azure Monitor AgentAutomate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Connected Machine Resource Administrator
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0)
Backup8015d6ed-3641-4534-8d0b-5c67b67ff7de[Preview]: Configure Recovery Services vaults to use private endpoints for backupPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2022-03-11 18:16:48
add: 8015d6ed-3641-4534-8d0b-5c67b67ff7de
Kubernetes9a5f4e39-e427-4d5d-ae73-93db00328becKubernetes resources should have required annotationsEnsure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-03-11 18:16:48
add: 9a5f4e39-e427-4d5d-ae73-93db00328bec
Monitoring0a3b9bf4-d30e-424a-af6b-9a93f6f78792Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Monitoringeab1f514-22e3-42e3-9a1f-e1dc9199355cConfigure Windows Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (2.0.0 > 2.0.1)
SQL25da7dfb-0666-4a15-a8f5-402127efd8bbConfigure SQL servers to have auditing enabled to Log Analytics workspaceTo ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
SQL Security Manager
2022-03-11 18:16:48
add: 25da7dfb-0666-4a15-a8f5-402127efd8bb
Monitoringd5c37ce1-5f52-4523-b949-f19bf945b73aConfigure Linux Arc Machines to be associated with a Data Collection RuleDeploy Association to link Linux Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Security Centeradbe85b5-83e6-4350-ab58-bf3a4f736e5eMicrosoft Defender for Azure Cosmos DB should be enabledMicrosoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-11 18:16:48
add: adbe85b5-83e6-4350-ab58-bf3a4f736e5e
Synapse32ba8d30-07c0-4136-ab18-9a11bf4a67b7Configure Synapse workspaces to have auditing enabled to Log Analytics workspaceTo ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Owner
2022-03-11 18:16:48
add: 32ba8d30-07c0-4136-ab18-9a11bf4a67b7
Kubernetes36a27de4-199b-40fb-b336-945a8475d6c5Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group AccessEnsure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-03-11 18:16:48
change: Major (5.0.2 > 6.0.0)
Monitoringf17d891d-ff20-46f2-bad3-9e0a5403a4d3Linux Arc-enabled machines should have Azure Monitor Agent installedLinux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1)
Monitoring845857af-0333-4c5d-bbbc-6076697da122Configure Linux Arc-enabled machines to run Azure Monitor AgentAutomate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Connected Machine Resource Administrator
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0)
Kubernetesa1840de2-8088-4ea8-b153-b4c723e9cb01Azure Kubernetes Service clusters should have Defender profile enabledMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
2022-03-11 18:16:48
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-03-11 18:16:48
change: Major (4.0.2 > 5.0.0)
SQLb79fa14e-238a-4c2d-b376-442ce508fc84Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspaceDeploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Major (3.0.0 > 4.0.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
Monitoring2ea82cdd-f2e8-4500-af75-67a2e084ca74Configure Linux Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-03-11 18:16:48
change: Patch (3.0.0 > 3.0.1)
SQLfd2d1a6e-6d95-4df2-ad00-504bf0273406Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
User Access Administrator
2022-02-18 17:44:00
change: Minor (2.0.0 > 2.1.0)
Security Centerd30025d0-6d64-656d-6465-67688881b632[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machinesDeploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-02-18 17:44:00
add: d30025d0-6d64-656d-6465-67688881b632
Monitoring58e891b9-ce13-4ac3-86e4-ac3e1f20cb07Configure Linux Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07
Monitoring050a90d5-7cce-483f-8f6c-0df462036ddaConfigure Linux Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: 050a90d5-7cce-483f-8f6c-0df462036dda
Storagef0e5abd0-2554-4736-b7c0-4ffef23475efQueue Storage should use customer-managed key for encryptionSecure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-18 17:44:00
add: f0e5abd0-2554-4736-b7c0-4ffef23475ef
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Storage7c322315-e26d-4174-a99e-f49d351b4688Table Storage should use customer-managed key for encryptionSecure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-18 17:44:00
add: 7c322315-e26d-4174-a99e-f49d351b4688
Security Center1ec9c2c2-6d64-656d-6465-3ec3309b8579[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machinesDeploys Microsoft Defender for Endpoint on applicable Windows VM images. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-02-18 17:44:00
add: 1ec9c2c2-6d64-656d-6465-3ec3309b8579
Stream Analyticsfe8684d6-3c5b-45c0-a08b-fa92653c2e1cStream Analytics job should connect to trusted inputs and outputsEnsure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. Default: Audit
Allowed: (Deny, Disabled, Audit)
2022-02-18 17:44:00
change: Minor (1.0.0 > 1.1.0)
Monitoring2ea82cdd-f2e8-4500-af75-67a2e084ca74Configure Linux Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Guest Configuratione6ebf138-3d71-4935-a13b-9c7fdddd94dfAudit Windows machines on which the specified services are not installed and 'Running'Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Monitoring244efd75-0d92-453c-b9a3-7d73ca36ed52Configure Windows Virtual Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: 244efd75-0d92-453c-b9a3-7d73ca36ed52
Monitoringd5c37ce1-5f52-4523-b949-f19bf945b73aConfigure Linux Arc Machines to be associated with a Data Collection RuleDeploy Association to link Linux Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: d5c37ce1-5f52-4523-b949-f19bf945b73a
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
SQL5e1de0e3-42cb-4ebc-a86d-61d0c619ca48Public network access should be disabled for PostgreSQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0)
Security Center37c043a6-6d64-656d-6465-b362dfeb354a[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machinesDeploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-02-18 17:44:00
add: 37c043a6-6d64-656d-6465-b362dfeb354a
Guest Configuration58c460e9-7573-4bb2-9676-339c2f2486bbAudit Windows machines on which Windows Serial Console is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-02-18 17:44:00
change: Minor (3.0.2 > 3.1.0)
Security Center4eb909e7-6d64-656d-6465-2eeb297a1625[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machinesDeploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-02-18 17:44:00
add: 4eb909e7-6d64-656d-6465-2eeb297a1625
Guest Configuration934345e1-4dfb-4c70-90d7-41990dc9608bAudit Windows machines that do not contain the specified certificates in Trusted RootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Machine Learning438c38d2-3772-465a-a9cc-7a6666a275ceAzure Machine Learning workspaces should disable public network accessDisabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-18 17:44:00
change: Minor (1.0.0 > 1.2.0)
Guest Configurationc633f6a2-7f8b-4d9e-9456-02f0f04f5505Audit Windows machines that are not set to the specified time zoneRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Guest Configuration08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fdAudit Windows machines on which the DSC configuration is not compliantRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0)
Monitoringeab1f514-22e3-42e3-9a1f-e1dc9199355cConfigure Windows Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
change: Major (1.0.1 > 2.0.0)
Security Centercc9835f2-9f6b-4cc8-ab4a-f8ef615eb349[Deprecated]: Sensitive data in your SQL databases should be classifiedAzure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-02-18 17:44:00
change: Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated)
Monitoring0a3b9bf4-d30e-424a-af6b-9a93f6f78792Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection RuleDeploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: 0a3b9bf4-d30e-424a-af6b-9a93f6f78792
Monitoringc24c537f-2516-4c2f-aac5-2cd26baa3d26Configure Windows Arc Machines to be associated with a Data Collection RuleDeploy Association to link Windows Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-18 17:44:00
add: c24c537f-2516-4c2f-aac5-2cd26baa3d26
SQLc9299215-ae47-4f50-9c54-8a392f68a052Public network access should be disabled for MySQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0)
Automanagef889cab7-da27-4c41-a3b0-de1f6f87c550Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0)
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2022-02-18 17:44:00
change: Major (3.0.0 > 4.0.0)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0)
Container Registry79fdfe03-ffcb-4e55-b4d0-b925b8241759Configure container registries to disable local admin account.Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-02-11 18:30:22
change: Patch (1.0.0 > 1.0.1)
Container Registry9f2dea28-e834-476c-99c5-3507b4728395Container registries should have anonymous authentication disabled.Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: 9f2dea28-e834-476c-99c5-3507b4728395
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-02-11 18:30:22
change: Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview)
Security Centeraba46665-c3a7-4319-ace1-a0282deebac2[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-02-11 18:30:22
add: aba46665-c3a7-4319-ace1-a0282deebac2
Storageddcf4b94-9dfa-4a80-aca6-22bb654fde72Azure NetApp Files SMB Volumes should use SMB3 encryptionDisallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: ddcf4b94-9dfa-4a80-aca6-22bb654fde72
Security Center30f52897-df47-4ca0-81a8-a3be3e8dd226[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-02-11 18:30:22
add: 30f52897-df47-4ca0-81a8-a3be3e8dd226
Container Registrycced2946-b08a-44fe-9fd9-e4ed8a779897Configure container registries to disable anonymous authentication.Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-02-11 18:30:22
add: cced2946-b08a-44fe-9fd9-e4ed8a779897
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0)
Storage7c6c7139-7d8e-45d0-9d94-72386a61308bAzure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryptionOnly allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: 7c6c7139-7d8e-45d0-9d94-72386a61308b
Storaged558e1a6-296d-4fbb-81a5-ea25822639f6Azure NetApp Files Volumes should not use NFSv3 protocol typeDisallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: d558e1a6-296d-4fbb-81a5-ea25822639f6
App Service2d048aca-6479-4923-88f5-e2ac295d9af3App Service Environment apps should not be reachable over public internetTo ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
change: Major (1.0.0 > 2.0.0)
Security Center3b1a8e0a-b2e1-48be-9365-28be2fbef550[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-02-11 18:30:22
add: 3b1a8e0a-b2e1-48be-9365-28be2fbef550
Storage16f4af95-96b1-4220-805a-367ca59cd72eAzure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacyEnsure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: 16f4af95-96b1-4220-805a-367ca59cd72e
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0)
Container Registrydc921057-6b28-4fbe-9b83-f7bec05db6c2Container registries should have local admin account disabled.Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
change: Patch (1.0.0 > 1.0.1)
Container Registrya9b426fe-8856-4945-8600-18c5dd1cca2aConfigure container registries to disable repository scoped access token.Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2022-02-11 18:30:22
add: a9b426fe-8856-4945-8600-18c5dd1cca2a
Container Registryff05e24e-195c-447e-b322-5e90c9f9f366Container registries should have repository scoped access token disabled.Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-11 18:30:22
add: ff05e24e-195c-447e-b322-5e90c9f9f366
Security Centerc9ae938d-3d6f-4466-b7c3-351761d9c890[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-02-11 18:30:22
add: c9ae938d-3d6f-4466-b7c3-351761d9c890
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-02-04 18:25:37
change: Major (2.0.1 > 3.0.0)
Security Center9c0aa188-e5fe-4569-8f74-b6e155624d9a[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-02-04 18:25:37
add: 9c0aa188-e5fe-4569-8f74-b6e155624d9a
Security Centera2ea54a3-9707-45e3-8230-bbda8309d17e[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2022-02-04 18:25:37
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-02-04 18:25:37
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Monitoring4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ffConfigure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0)
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1bConfigure machines to receive a vulnerability assessment providerAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2022-02-04 18:25:37
change: Major, suffix remains equal (2.2.0-preview > 3.0.0-preview)
Kubernetesb1a9997f-2883-4f12-bdff-2280f99b5915Ensure cluster containers have readiness or liveness probes configuredThis policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-04 18:25:37
add: b1a9997f-2883-4f12-bdff-2280f99b5915
Monitoring3672e6f7-a74d-4763-b138-fcf332042f8fWindows virtual machine scale sets should have Azure Monitor Agent installedWindows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0)
SQLa9934fd7-29f2-4e6d-ab3d-607ea38e9079SQL Managed Instances should avoid using GRS backup redundancyManaged Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2022-02-04 18:25:37
change: Major (1.0.1 > 2.0.0)
Automanage6d02d2f7-e38b-4bdc-96f3-adc0a8726abcHotpatch should be enabled for Windows Server Azure Edition VMsMinimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-02-04 18:25:37
add: 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc
Security Centerc15c5978-ab6e-4599-a1c3-90a7918f5371[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentConfigure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-02-04 18:25:37
add: c15c5978-ab6e-4599-a1c3-90a7918f5371
SQLb79fa14e-238a-4c2d-b376-442ce508fc84Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspaceDeploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2022-02-04 18:25:37
change: Major (2.0.0 > 3.0.0)
Monitoringc02729e5-e5e7-4458-97fa-2b5ad0661f28Windows virtual machines should have Azure Monitor Agent installedWindows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2022-02-04 18:25:37
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
App Service91a78b24-f231-4a8a-8da9-02c35b2b6510App Service apps should have resource logs enabledAudit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0)
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0)
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration934345e1-4dfb-4c70-90d7-41990dc9608bAudit Windows machines that do not contain the specified certificates in Trusted RootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.1 > 2.0.0)
Guest Configuration4d1c04de-2172-403f-901b-90608c35c721[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration237b38db-ca4d-4259-9e47-7882441ca2c0Audit Windows machines that do not have a minimum password age of 1 dayRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration84662df4-0e37-44a6-9ce1-c9d2150db18cAudit Windows machines that are not joined to the specified domainRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationbf16e0bb-31e1-4646-8202-60a235cc7e74Audit Windows machines that do not have the password complexity setting enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationebb67efd-3c46-49b0-adfe-5599eb944998Audit Windows machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0)
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Monitoring594c1276-f44f-482d-9910-71fac2ce5ae0[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspaceProtect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-01-28 17:51:01
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Guest Configurationc633f6a2-7f8b-4d9e-9456-02f0f04f5505Audit Windows machines that are not set to the specified time zoneRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration3e4e2bd5-15a2-4628-b3e1-58977e9793f3Audit Windows machines that do not have the specified Windows PowerShell modules installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationbeb6ccee-b6b8-4e91-9801-a5fa4260a104Audit Windows machines that have not restarted within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration1417908b-4bff-46ee-a2a6-4acc899320abAudit Windows machines that contain certificates expiring within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationf79fef0d-0050-4c18-a303-5babb9c14ac7Windows machines should only have local accounts that are allowedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationc5b85cba-6e6f-4de4-95e1-f0233cd712acAudit Windows machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0)
Guest Configuration58c460e9-7573-4bb2-9676-339c2f2486bbAudit Windows machines on which Windows Serial Console is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationda0f98fe-a24b-4ad5-af69-bd0400233661Audit Windows machines that do not store passwords using reversible encryptionRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration3d2a3320-2a72-4c67-ac5f-caa40fbee2b2Audit Windows machines that have extra accounts in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationfee5cb2b-9d9b-410e-afe3-2902d90d0004[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0)
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Windows Defender Exploit Guard should be enabled on your machinesWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.1.1 > 2.0.0)
Guest Configuration630ac30f-a234-4533-ac2d-e0df77acda51Audit Windows machines network connectivityRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration5b842acb-0fe7-41b0-9f40-880ec4ad84d8[Deprecated]: Show audit results from Linux VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.2.0 > 3.0.0)
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuratione6ebf138-3d71-4935-a13b-9c7fdddd94dfAudit Windows machines on which the specified services are not installed and 'Running'Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fdAudit Windows machines on which the DSC configuration is not compliantRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration5b054a0d-39e2-4d53-bea3-9734cad2c69bAudit Windows machines that allow re-use of the previous 24 passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0)
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration884b209a-963b-4520-8006-d20cb3c213e0[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration4ceb8dc2-559c-478b-a15b-733fbf1e3738Audit Windows machines that do not have a maximum password age of 70 daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8deddLinux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.3.0 > 2.0.0)
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Windows web servers should be configured to use secure communication protocolsTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (3.0.0 > 4.0.0)
Guest Configuration6265018c-d7e2-432f-a75d-094d5f6f4465Audit Windows machines on which the Log Analytics agent is not connected as expectedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration4221adbc-5c0f-474f-88b7-037a99e6114cAudit Windows VMs with a pending rebootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-01-28 17:51:01
change: Patch (4.0.2 > 4.0.3)
Guest Configuration73db37c4-f180-4b0f-ab2c-8ee96467686bLinux machines should only have local accounts that are allowedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0)
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (3.1.0 > 4.0.0)
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration72650e9f-97bc-4b2a-ab5f-9781a9fcecbcWindows machines should meet requirements of the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.1 > 2.0.0)
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration4078e558-bda6-41fb-9b3c-361e8875200dWindows machines should have Log Analytics agent installed on Azure ArcMachines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7Audit Windows machines missing any of specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configuration69bf4abd-ca1e-4cf6-8b5a-762d42e61d4fAudit Windows machines that have the specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0)
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Guest Configurationa2d0e922-65d0-40c4-8f87-ea6da2d307a2Audit Windows machines that do not restrict the minimum password length to 14 charactersRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0)
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (3.2.0 > 4.0.0)
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0)
Automanagef889cab7-da27-4c41-a3b0-de1f6f87c550Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor
2022-01-21 21:53:22
add: f889cab7-da27-4c41-a3b0-de1f6f87c550
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-01-21 21:53:22
change: Patch (4.0.2 > 4.0.3)
Automanage270610db-8c04-438a-a739-e8e6745b22d3[Deprecated]: Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-01-21 21:53:22
change: Version remains equal, new suffix: version (4.1.0 > 4.1.0-version-deprecated)
App Service7261b898-8a84-4db8-9e04-18527132abb3App Service apps that use PHP should use the latest 'PHP version'Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-21 21:53:22
change: Minor (2.1.0 > 2.2.0)
General10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9[Deprecated]: Custom subscription owner roles should not existThis policy is deprecated. Default: Audit
Allowed: (Audit, Disabled)
2022-01-21 21:53:22
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
App Service546fe8d2-368d-4029-a418-6af48a7f61e5App Service apps should use a SKU that supports private linkWith supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-01-21 21:53:22
change: Major (1.0.0 > 2.0.0)
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-01-14 17:44:09
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-01-14 17:44:09
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Azure Edge Hardware Center08a6b96f-576e-47a2-8511-119a212d344dAzure Edge Hardware Center devices should have double encryption support enabledEnsure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-01-14 17:44:09
change: Major (1.0.0 > 2.0.0)
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2022-01-14 17:44:09
change: Major, suffix remains equal (3.1.0-preview > 4.0.0-preview)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbc[Deprecated]: Kubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-01-07 18:14:35
change: Patch, new suffix: deprecated (6.1.2 > 6.1.3-deprecated)
Backup958dbd4e-0e20-4385-a082-d3f20c2a6ad8[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same regionEnforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor
2022-01-07 18:14:35
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Monitoringbacd7fca-1938-443d-aad6-a786107b1bfb[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspaceProtect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-01-07 18:14:35
add: bacd7fca-1938-443d-aad6-a786107b1bfb
Monitoring7f89b1eb-583c-429a-8828-af049802c1d9Audit diagnostic settingAudit diagnostic setting for selected resource types Fixed: AuditIfNotExists
2022-01-07 18:14:35
change: Minor (1.0.0 > 1.1.0)
Bot Service52152f42-0dda-40d9-976e-abb1acdd611eBot Service should have isolated mode enabledBots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2022-01-07 18:14:35
change: Major (1.0.0 > 2.0.0)
Internet of Things27d4c5ec-8820-443f-91fe-1215e96f64b2Azure Device Update for IoT Hub accounts should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
add: 27d4c5ec-8820-443f-91fe-1215e96f64b2
Azure Purview9259053b-ddb8-40ab-842a-0aef19d0ade4Azure Purview accounts should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Default: Audit
Allowed: (Audit, Disabled)
2022-01-07 18:14:35
add: 9259053b-ddb8-40ab-842a-0aef19d0ade4
Monitoring8e3e61b3-0b32-22d5-4edf-55f87fdb5955Configure Log Analytics workspace and automation account to centralize logs and monitoringDeploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2022-01-07 18:14:35
change: Major (1.0.0 > 2.0.0)
Monitoring594c1276-f44f-482d-9910-71fac2ce5ae0[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspaceProtect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2022-01-07 18:14:35
add: 594c1276-f44f-482d-9910-71fac2ce5ae0
Security Center5f0f936f-2f01-4bf5-b6be-d423792fa562Container registry images should have vulnerability findings resolvedContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Patch (2.0.0 > 2.0.1)
Security Center0fc39691-5a3f-4e3e-94ee-2e6447309ad9Running container images should have vulnerability findings resolvedContainer image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Patch (1.0.0 > 1.0.1)
Backup615b01c4-d565-4f6f-8c6e-d130268e3a1a[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same regionEnforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor
2022-01-07 18:14:35
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
SQL0a370ff3-6cab-4e85-8995-295fd854c5b8SQL servers should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-01-07 18:14:35
change: Patch (2.0.0 > 2.0.1)
Monitoring2f2ee1de-44aa-4762-b6bd-0893fc3f306d[Preview]: Network traffic data collection agent should be installed on Windows virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
App Serviceb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0[Deprecated]: Diagnostic logs in App Services should be enabledAudit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
Storagebc1b984e-ddae-40cc-801a-050a030e4fbeStorage accounts should have shared access signature (SAS) policies configuredEnsure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token. Default: Audit
Allowed: (Audit, Deny, Disabled)
2022-01-07 18:14:35
add: bc1b984e-ddae-40cc-801a-050a030e4fbe
Security Centerae89ebca-1c92-4898-ac2c-9f63decb045cGuest Configuration extension should be installed on your machinesTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Patch (1.0.1 > 1.0.2)
Monitoring04c4380f-3fae-46e8-96c9-30193528f602[Preview]: Network traffic data collection agent should be installed on Linux virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2022-01-07 18:14:35
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Network5e1cd26a-5090-4fdb-9d6a-84a90335e22dConfigure network security groups to use specific workspace for traffic analyticsIf it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1)
Network0db34a60-64f4-4bf6-bd44-f95c16cf34b9Deploy a flow log resource with target network security groupConfigures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExistsContributor
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1)
Networke920df7f-9a64-4066-9b58-52684c02a091Configure network security groups to enable traffic analyticsTraffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1)
Kubernetesc050047b-b21b-4822-8a2d-c1e37c3c0c6aConfigure Kubernetes clusters with specified GitOps configuration using SSH secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1)
Kubernetesa6f560f4-f582-4b67-b123-a37dcd1bf7eaConfigure Kubernetes clusters with specified GitOps configuration using HTTPS secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1)
SQL0a370ff3-6cab-4e85-8995-295fd854c5b8SQL servers should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
change: Major, old suffix: preview (1.0.0-preview > 2.0.0)
Kubernetes0adc5395-9169-4b9b-8687-af838d69410a[Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extensionDeploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Kubernetes Extension Contributor
2021-12-06 22:17:57
add: 0adc5395-9169-4b9b-8687-af838d69410a
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (2.1.0 > 2.2.0)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Guest Configuration1e7fed80-8321-4605-b42c-65fc300f23a3Linux machines should have Log Analytics agent installed on Azure ArcMachines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0)
Video Analyzers165a4137-c3ed-4fd0-a17f-1c8a80266580Video Analyzer accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Video Analyzer accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/videoanalyzerscmkdocs. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
add: 165a4137-c3ed-4fd0-a17f-1c8a80266580
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (5.0.1 > 5.0.2)
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0)
Security Center2370a3c1-4a25-4283-a91a-c9c1a145fb2fConfigure Azure Defender for DNS to be enabledAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Compute702dd420-7fcc-42c5-afe8-4026edd20fe0OS and data disks should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
change: Major (2.0.0 > 3.0.0)
Security Center1c988dd6-ade4-430f-a608-2a3e5b0a6d38Microsoft Defender for Containers should be enabledMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
add: 1c988dd6-ade4-430f-a608-2a3e5b0a6d38
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (7.0.0 > 7.0.1)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (7.0.0 > 7.0.1)
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor (1.1.1 > 1.2.0)
Network564feb30-bf6a-4854-b4bb-0d2d2d1e6c66Web Application Firewall (WAF) should be enabled for Application GatewayDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
change: Major (1.0.1 > 2.0.0)
Kubernetes6b2122c1-8120-4ff5-801b-17625a355590[Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installedThe Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
add: 6b2122c1-8120-4ff5-801b-17625a355590
Security Centerb40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7dConfigure Azure Defender for App Service to be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1)
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.0 > 4.0.1)
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch, suffix remains equal (4.0.1-deprecated > 4.0.2-deprecated)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0)
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4[Deprecated]: Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1)
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Backup615b01c4-d565-4f6f-8c6e-d130268e3a1a[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same regionEnforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor
2021-12-06 22:17:57
add: 615b01c4-d565-4f6f-8c6e-d130268e3a1a
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (2.0.1 > 2.0.2)
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1)
SQL048248b0-55cd-46da-b1ff-39efd52db260[Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at restThis policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Backup958dbd4e-0e20-4385-a082-d3f20c2a6ad8[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same regionEnforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor
2021-12-06 22:17:57
add: 958dbd4e-0e20-4385-a082-d3f20c2a6ad8
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3a[Deprecated]: Azure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (2.1.1 > 2.1.2)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Security Centerc9ddb292-b203-4738-aead-18e2716e858fConfigure Microsoft Defender for Containers to be enabledMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
add: c9ddb292-b203-4738-aead-18e2716e858f
Guest Configurationfee5cb2b-9d9b-410e-afe3-2902d90d0004[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (3.1.0 > 3.2.0)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbc[Deprecated]: Kubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (6.1.1 > 6.1.2)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0)
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0)
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0)
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Monitoringa499fed8-bcc8-4195-b154-641f14743757Azure Monitor Private Link Scope should block access to non private link resourcesAzure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
add: a499fed8-bcc8-4195-b154-641f14743757
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8deddLinux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.2.0 > 1.3.0)
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2021-12-06 22:17:57
change: Major (2.0.0 > 3.0.0)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0)
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0)
Security Center1f725891-01c0-420a-9059-4fa46cb770b7Configure Azure Defender for Key Vaults to be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1)
Security Center0fc39691-5a3f-4e3e-94ee-2e6447309ad9Running container images should have vulnerability findings resolvedContainer image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
add: 0fc39691-5a3f-4e3e-94ee-2e6447309ad9
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (3.0.0 > 3.1.0)
App Platformaf35e2a4-ef96-44e7-a9ae-853dd97032c4Azure Spring Cloud should use network injectionAzure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0)
Monitoringbec5db8e-c4e3-40f9-a545-e0bd00065c82Configure Azure Monitor Private Link Scope to block access to non private link resourcesAzure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-12-06 22:17:57
add: bec5db8e-c4e3-40f9-a545-e0bd00065c82
Compute7c1b1214-f927-48bf-8882-84f0af6588b1Resource logs in Virtual Machine Scale Sets should be enabledIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (2.0.1 > 2.1.0)
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.2 > 4.0.3)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0)
Security Center133047bf-1369-41e3-a3be-74a11ed1395a[Deprecated]: Configure Azure Defender for Kubernetes to be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
SQLac01ad65-10e5-46df-bdd9-6b0cad13e1d2SQL managed instances should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-12-06 22:17:57
change: Major, old suffix: preview (1.0.0-preview > 2.0.0)
Kubernetes1ddac26b-ed48-4c30-8cc5-3a68c79b8001Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-editClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Disabled)
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1)
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0)
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (7.0.3 > 7.0.4)
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (6.1.1 > 6.1.2)
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2)
Guest Configuration5b842acb-0fe7-41b0-9f40-880ec4ad84d8[Deprecated]: Show audit results from Linux VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
SQL0d134df8-db83-46fb-ad72-fe0c9428c8dd[Deprecated]: SQL servers should use customer-managed keys to encrypt data at restThis policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Monitoringc9c29499-c1d1-4195-99bd-2ec9e3a9dc89Deploy Diagnostic Settings for Network Security GroupsThis policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed: deployIfNotExistsMonitoring Contributor
Storage Account Contributor
2021-12-06 22:17:57
change: Major (1.0.0 > 2.0.0)
Guest Configuration884b209a-963b-4520-8006-d20cb3c213e0[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Guest Configuration4d1c04de-2172-403f-901b-90608c35c721[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Kubernetes36a27de4-199b-40fb-b336-945a8475d6c5Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group AccessEnsure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2021-12-06 22:17:57
add: 36a27de4-199b-40fb-b336-945a8475d6c5
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)
Security Centerd3d1e68e-49d4-4b56-acff-93cef644b432[Deprecated]: Configure Azure Defender for container registries to be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2)
Security Centerb7021b2b-08fd-4dc0-9de7-3c6ece09faf9Configure Azure Defender for Resource Manager to be enabledAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1)
Security Centera7f5e735-d212-4c32-9229-d12bffbc7e00[Preview]: ChangeTracking extension should be installed on your Windows Arc machineInstall ChangeTracking Extension on Windows Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: a7f5e735-d212-4c32-9229-d12bffbc7e00
Security Center672fe5a1-2fcd-42d7-b85d-902b6e28c6ff[Preview]: Guest Attestation extension should be installed on supported Linux virtual machinesInstall Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 5.0.0-preview)
Security Centerec88097d-843f-4a92-8471-78016d337ba4[Preview]: Configure ChangeTracking Extension for Linux virtual machinesConfigure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
add: ec88097d-843f-4a92-8471-78016d337ba4
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0)
Security Center4bb303db-d051-4099-95d2-e3e1428a4cd5[Preview]: Configure ChangeTracking Extension for Windows Arc machinesConfigure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4cd5
Stream Analyticsfe8684d6-3c5b-45c0-a08b-fa92653c2e1cStream Analytics job should connect to trusted inputs and outputsEnsure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. Default: Audit
Allowed: (Deny, Disabled, Audit)
2021-11-12 16:23:07
add: fe8684d6-3c5b-45c0-a08b-fa92653c2e1c
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Security Center10caed8a-652c-4d1d-84e4-2805b7c07278[Preview]: Configure ChangeTracking Extension for Linux Arc machinesConfigure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-11-12 16:23:07
add: 10caed8a-652c-4d1d-84e4-2805b7c07278
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0)
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)
Backup013e242c-8828-4970-87b3-ab247555486dAzure Backup should be enabled for Virtual MachinesEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major (2.0.0 > 3.0.0)
Security Centere71c1e29-9c76-4532-8c4b-cb0573b0014c[Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale setsInstall ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: e71c1e29-9c76-4532-8c4b-cb0573b0014c
Security Centerd62cfe2b-3ab0-4d41-980d-76803b58ca65[Deprecated]: Log Analytics agent health issues should be resolved on your machinesSecurity Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Security Center8893442c-e7cb-4637-bab8-299a5d4ed96a[Preview]: ChangeTracking extension should be installed on your Linux virtual machineInstall ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: 8893442c-e7cb-4637-bab8-299a5d4ed96a
Media Services9285c3de-d5fd-4225-86d4-027894b0c442Azure Media Services should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-11-12 16:23:07
add: 9285c3de-d5fd-4225-86d4-027894b0c442
Security Center1cb4d9c2-f88f-4069-bee0-dba239a57b09[Preview]: Guest Attestation extension should be installed on supported Windows virtual machinesInstall Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Security Centerc9b2ae08-09e2-4f0e-bb43-b60bf0135bdf[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Data Factoryf78ccdb4-7bf4-4106-8647-270491d2978a[Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supportedUsing system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-11-12 16:23:07
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
Network055aa869-bc98-4af8-bafc-23f1ab6ffe2cAzure Web Application Firewall should be enabled for Azure Front Door entry-pointsDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-11-12 16:23:07
change: Patch (1.0.1 > 1.0.2)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-11-12 16:23:07
change: Patch (7.0.2 > 7.0.3)
Security Center95406fc3-1f69-47b0-8105-4c03b276ec5c[Preview]: Configure supported Linux virtual machines to automatically enable Secure BootConfigure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 5.0.0-preview)
Security Center98ea2fc7-6fc6-4fd1-9d8d-6331154da071[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 4.0.0-preview)
Security Centerfc47609f-4d9b-4aed-806b-446816cc63a3[Preview]: ChangeTracking extension should be installed on your Linux Arc machineInstall ChangeTracking Extension on Linux Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: fc47609f-4d9b-4aed-806b-446816cc63a3
Security Center57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 5.0.0-preview)
Security Centerf08f556c-12ff-464d-a7de-40cb5b6cccec[Preview]: Configure ChangeTracking Extension for Windows virtual machinesConfigure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
add: f08f556c-12ff-464d-a7de-40cb5b6cccec
Security Center97566dd7-78ae-4997-8b36-1c7bfe0d8121[Preview]: Secure Boot should be enabled on supported Windows virtual machinesEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. Default: Audit
Allowed: (Audit, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0)
Security Center221aac80-54d8-484b-83d7-24f4feac2ce0[Preview]: ChangeTracking extension should be installed on your Windows virtual machineInstall ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: 221aac80-54d8-484b-83d7-24f4feac2ce0
Security Center4bb303db-d051-4099-95d2-e3e1428a4d2c[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale setsConfigure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4d2c
Security Center1288c8d7-4b05-4e3a-bc88-9053caefc021[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale setsConfigure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
add: 1288c8d7-4b05-4e3a-bc88-9053caefc021
Security Center1c30f9cd-b84c-49cc-aa2c-9288447cc3b3[Preview]: vTPM should be enabled on supported virtual machinesEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. Default: Audit
Allowed: (Audit, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Centere494853f-93c3-4e44-9210-d12f61a64b34[Preview]: Configure supported virtual machines to automatically enable vTPMConfigure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center7cb1b219-61c6-47e0-b80c-4472cadeeb5f[Preview]: Configure supported Windows virtual machines to automatically enable Secure BootConfigure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)
Kubernetesa1840de2-8088-4ea8-b153-b4c723e9cb01Azure Kubernetes Service clusters should have Defender profile enabledMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
2021-11-12 16:23:07
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Security Center009259b0-12e8-42c9-94e7-7af86aa58d13[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extensionConfigure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Reader
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor
Backup Contributor
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0)
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2021-11-12 16:23:07
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Centera21f8c92-9e22-4f09-b759-50500d1d2dda[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale setsInstall Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 4.0.0-preview)
Security Center4bb303db-d051-4099-95d2-e3e1428a4d00[Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale setsInstall ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4d00
Security Centerf655e522-adff-494d-95c2-52d4f6d56a42[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale setsInstall Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center6074e9a3-c711-4856-976d-24d51f9e065b[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 6.0.0-preview)
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Security Center496e010e-fa91-4c00-be4b-92b481f67b58[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extensionConfigure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Reader
Virtual Machine Contributor
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-25 16:02:14
change: Patch (7.0.1 > 7.0.2)
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-25 16:02:14
change: Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview)
Security Center6074e9a3-c711-4856-976d-24d51f9e065b[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-22 15:42:38
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Security Center009259b0-12e8-42c9-94e7-7af86aa58d13[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extensionConfigure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Reader
Virtual Machine Contributor
2021-10-22 15:42:38
add: 009259b0-12e8-42c9-94e7-7af86aa58d13
Security Centerc9b2ae08-09e2-4f0e-bb43-b60bf0135bdf[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-22 15:42:38
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Monitoring4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ffConfigure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-22 15:42:38
add: 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff
Security Center57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-22 15:42:38
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Monitoring3672e6f7-a74d-4763-b138-fcf332042f8fWindows virtual machine scale sets should have Azure Monitor Agent installedWindows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-22 15:42:38
add: 3672e6f7-a74d-4763-b138-fcf332042f8f
SQLb79fa14e-238a-4c2d-b376-442ce508fc84Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspaceDeploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-10-22 15:42:38
change: Major (1.0.1 > 2.0.0)
Monitoringc02729e5-e5e7-4458-97fa-2b5ad0661f28Windows virtual machines should have Azure Monitor Agent installedWindows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-22 15:42:38
add: c02729e5-e5e7-4458-97fa-2b5ad0661f28
Monitoring94f686d6-9a24-4e19-91f1-de937dc171a4Configure Windows Arc-enabled machines to run Azure Monitor AgentAutomate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Connected Machine Resource Administrator
2021-10-22 15:42:38
add: 94f686d6-9a24-4e19-91f1-de937dc171a4
Monitoringec621e21-8b48-403d-a549-fc9023d4747fWindows Arc-enabled machines should have Azure Monitor Agent installedWindows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-22 15:42:38
add: ec621e21-8b48-403d-a549-fc9023d4747f
Security Center98ea2fc7-6fc6-4fd1-9d8d-6331154da071[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-22 15:42:38
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center0961003e-5a0a-4549-abde-af6a37f2724dVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resourcesBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-22 15:42:38
change: Patch (2.0.2 > 2.0.3)
Security Center496e010e-fa91-4c00-be4b-92b481f67b58[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extensionConfigure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Reader
Virtual Machine Contributor
2021-10-22 15:42:38
add: 496e010e-fa91-4c00-be4b-92b481f67b58
Monitoring56a3e4f8-649b-4fac-887e-5564d11e8d3aConfigure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-19 19:10:32
add: 56a3e4f8-649b-4fac-887e-5564d11e8d3a
Monitoringeab1f514-22e3-42e3-9a1f-e1dc9199355cConfigure Windows Machines to be associated with a Data Collection RuleDeploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-10-19 19:10:32
change: Patch (1.0.0 > 1.0.1)
Search6300012e-e9a4-4649-b41f-a85f5c43be91Azure Cognitive Search services should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-19 19:10:32
add: 6300012e-e9a4-4649-b41f-a85f5c43be91
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMsConfigure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
Managed Identity Contributor
Managed Identity Operator
2021-10-19 19:10:32
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Monitoring845857af-0333-4c5d-bbbc-6076697da122Configure Linux Arc-enabled machines to run Azure Monitor AgentAutomate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Connected Machine Resource Administrator
2021-10-19 19:10:32
add: 845857af-0333-4c5d-bbbc-6076697da122
Monitoring32ade945-311e-4249-b8a4-a549924234d7Linux virtual machine scale sets should have Azure Monitor Agent installedLinux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-19 19:10:32
add: 32ade945-311e-4249-b8a4-a549924234d7
Guest Configuration72650e9f-97bc-4b2a-ab5f-9781a9fcecbcWindows machines should meet requirements of the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-19 19:10:32
change: Version remains equal, old suffix: preview (1.0.1-preview > 1.0.1)
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identityAutomate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-19 19:10:32
change: Patch (2.0.0 > 2.0.1)
Search4eb216f2-9dba-4979-86e6-5d7e63ce3b75Configure Azure Cognitive Search services to disable local authenticationDisable local authentication methods so that your Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Default: Modify
Allowed: (Modify, Disabled)
Search Service Contributor
2021-10-19 19:10:32
add: 4eb216f2-9dba-4979-86e6-5d7e63ce3b75
Monitoringf17d891d-ff20-46f2-bad3-9e0a5403a4d3Linux Arc-enabled machines should have Azure Monitor Agent installedLinux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-19 19:10:32
add: f17d891d-ff20-46f2-bad3-9e0a5403a4d3
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8deddLinux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-19 19:10:32
change: Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0)
Monitoring2ea82cdd-f2e8-4500-af75-67a2e084ca74Configure Linux Machines to be associated with a Data Collection RuleDeploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-10-19 19:10:32
change: Major (1.0.0 > 2.0.0)
Monitoring1afdc4b6-581a-45fb-b630-f1e6051e3e7aLinux virtual machines should have Azure Monitor Agent installedLinux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-19 19:10:32
add: 1afdc4b6-581a-45fb-b630-f1e6051e3e7a
Compute2c89a2e5-7285-40fe-afe0-ae8654b92fb2[Deprecated]: Unattached disks should be encryptedThis policy audits any unattached disk without encryption enabled. Default: Audit
Allowed: (Audit, Disabled)
2021-10-19 19:10:32
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Monitoringa4034bc6-ae50-406d-bf76-50f4ee5a7811Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authenticationAutomate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-10-19 19:10:32
change: Minor (1.0.0 > 1.1.0)
Computeac34a73f-9fa5-4067-9247-a3ecae514468Configure disaster recovery on virtual machines by enabling replication via Azure Site RecoveryVirtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner
2021-10-08 15:47:40
change: Major (1.2.0 > 2.0.0)
Monitoringbef3f64c-5290-43b7-85b0-9b254eef4c47Deploy Diagnostic Settings for Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-10-08 15:47:40
change: Major (1.0.0 > 2.0.0)
Azure Arc55c4db33-97b0-437b-8469-c4f4498f5df9Configure Azure Arc Private Link Scopes to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-10-08 15:47:40
add: 55c4db33-97b0-437b-8469-c4f4498f5df9
HDInsight2676090a-4baf-46ac-9085-4ac02cc50e3eConfigure Azure HDInsight clusters with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-10-08 15:47:40
add: 2676090a-4baf-46ac-9085-4ac02cc50e3e
Azure Arc7eab1da3-2bf0-4ff0-8303-1a4277c380e8Azure Arc Private Link Scopes should be configured with a private endpointAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Disabled)
2021-10-08 15:47:40
add: 7eab1da3-2bf0-4ff0-8303-1a4277c380e8
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-10-08 15:47:40
change: Patch (1.1.0 > 1.1.1)
Update Management Center59efceea-0c96-497e-a4a1-4eb2290dac15[Preview]: Configure periodic checking for missing system updates on azure virtual machinesConfigure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed: modifyVirtual Machine Contributor
2021-10-08 15:47:40
add: 59efceea-0c96-497e-a4a1-4eb2290dac15
Update Management Centerbd876905-5b84-4f73-ab2d-2e7a7c4568d9[Preview]: Machines should be configured to periodically check for missing system updatesTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-08 15:47:40
add: bd876905-5b84-4f73-ab2d-2e7a7c4568d9
Azure Arca3461c8c-6c9d-4e42-a644-40ba8a1abf49Configure Azure Arc-enabled servers to use an Azure Arc Private Link ScopeAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator
2021-10-08 15:47:40
add: a3461c8c-6c9d-4e42-a644-40ba8a1abf49
HDInsightc8cc2f85-e019-4065-9fa3-5e6a2b2dde56Azure HDInsight should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-08 15:47:40
add: c8cc2f85-e019-4065-9fa3-5e6a2b2dde56
Security Center44433aa3-7ec2-4002-93ea-65c65ff0310aConfigure Azure Defender for open-source relational databases to be enabledAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-10-08 15:47:40
add: 44433aa3-7ec2-4002-93ea-65c65ff0310a
Azure Arc898f2439-3333-4713-af25-f1d78bc50556Azure Arc Private Link Scopes should disable public network accessDisabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-08 15:47:40
add: 898f2439-3333-4713-af25-f1d78bc50556
Key Vaulted7c8c13-51e7-49d1-8a43-8490431a0da2Deploy Diagnostic Settings for Key Vault to Event HubDeploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Fixed: deployIfNotExistsContributor
2021-10-08 15:47:40
change: Major (2.0.0 > 3.0.0)
Update Management Centerbfea026e-043f-4ff4-9d1b-bf301ca7ff46[Preview]: Configure periodic checking for missing system updates on azure Arc-enabled serversConfigure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed: modifyAzure Connected Machine Resource Administrator
2021-10-08 15:47:40
add: bfea026e-043f-4ff4-9d1b-bf301ca7ff46
Azure Arcd6eeba80-df61-4de5-8772-bc1b7852ba6bConfigure Azure Arc Private Link Scopes with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Azure Connected Machine Resource Administrator
2021-10-08 15:47:40
add: d6eeba80-df61-4de5-8772-bc1b7852ba6b
HDInsight43d6e3bd-fc6a-4b44-8b4d-2151d8736a11Configure Azure HDInsight clusters to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-10-08 15:47:40
add: 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11
Azure Arcefa3f296-ff2b-4f38-bc0d-5ef12c965b68Azure Arc-enabled servers should be configured with an Azure Arc Private Link ScopeAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-08 15:47:40
add: efa3f296-ff2b-4f38-bc0d-5ef12c965b68
Azure Arcde0bc8ea-76e2-4fe2-a288-a07556d0e9c4Configure Azure Arc Private Link Scopes to disable public network accessDisable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator
2021-10-08 15:47:40
add: de0bc8ea-76e2-4fe2-a288-a07556d0e9c4
Machine Learning7804b5c7-01dc-4723-969b-ae300cc07ff1Audit Azure Machine Learning Compute Cluster and Instance is behind virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access.When am Azure Machine Learning Compute instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
2021-10-08 15:47:40
add: 7804b5c7-01dc-4723-969b-ae300cc07ff1
Event Hub57f35901-8389-40bb-ac49-3ba4f86d889dConfigure Azure Event Hub namespaces to disable local authenticationDisable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Modify
Allowed: (Modify, Disabled)
Azure Event Hubs Data Owner
2021-10-04 15:27:15
add: 57f35901-8389-40bb-ac49-3ba4f86d889d
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Machine Learning438c38d2-3772-465a-a9cc-7a6666a275ceAzure Machine Learning workspaces should disable public network accessDisabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-04 15:27:15
add: 438c38d2-3772-465a-a9cc-7a6666a275ce
Service Buscfb11c26-f069-4c14-8e36-56c394dae5afAzure Service Bus namespaces should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-04 15:27:15
add: cfb11c26-f069-4c14-8e36-56c394dae5af
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0)
Machine Learninga10ee784-7409-4941-b091-663697637c0fConfigure Azure Machine Learning workspaces to disable public network accessDisable public network access for Azure Machine Learning workspaces so that your workspaces aren't accessible over the public internet. This will help protect the workspaces against data leakage risks. You can limit exposure of the your machine learning workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
AzureML Data Scientist
2021-10-04 15:27:15
add: a10ee784-7409-4941-b091-663697637c0f
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (2.0.1-preview > 2.0.1)
Guest Configuration73db37c4-f180-4b0f-ab2c-8ee96467686bLinux machines should only have local accounts that are allowedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0)
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-10-04 15:27:15
change: Minor (1.0.1 > 1.1.0)
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (3.0.0 > 3.1.0)
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8deddLinux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0)
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (2.1.1-preview > 2.1.1)
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (2.0.1 > 2.1.0)
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-10-04 15:27:15
change: Minor (1.0.1 > 1.1.0)
Event Hub5d4e3c65-4873-47be-94f3-6f8b953a3598Azure Event Hub namespaces should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-10-04 15:27:15
add: 5d4e3c65-4873-47be-94f3-6f8b953a3598
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1)
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0)
Service Bus910711a6-8aa2-4f15-ae62-1e5b2ed3ef9eConfigure Azure Service Bus namespaces to disable local authenticationDisable local authentication methods so that your Azure ServiceBus namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default: Modify
Allowed: (Modify, Disabled)
Azure Service Bus Data Owner
2021-10-04 15:27:15
add: 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e
Security Centeraf99038c-02fd-4a2f-ac24-386b62bf32de[Preview]: Machines should have ports closed that might expose attack vectorsAzure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-10-04 15:27:15
add: af99038c-02fd-4a2f-ac24-386b62bf32de
Monitoringefbde977-ba53-4479-b8e9-10b957924fbfThe Log Analytics extension should be installed on Virtual Machine Scale SetsThis policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch (1.0.0 > 1.0.1)
Monitoringd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machinesThis policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
SQLfd2d1a6e-6d95-4df2-ad00-504bf0273406Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
User Access Administrator
2021-09-27 15:52:17
change: Major (1.0.1 > 2.0.0)
Network98a2e215-5382-489e-bd29-32e7190a39baConfigure diagnostic settings for Azure Network Security Groups to Log Analytics workspaceDeploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-09-27 15:52:17
add: 98a2e215-5382-489e-bd29-32e7190a39ba
Guest Configuration1e7fed80-8321-4605-b42c-65fc300f23a3Linux machines should have Log Analytics agent installed on Azure ArcMachines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
add: 1e7fed80-8321-4605-b42c-65fc300f23a3
Security Centera2ea54a3-9707-45e3-8230-bbda8309d17e[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection RuleConfigure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2021-09-27 15:52:17
add: a2ea54a3-9707-45e3-8230-bbda8309d17e
Storage92a89a79-6c52-4a7e-a03f-61306fc49312Storage accounts should prevent cross tenant object replicationAudit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-27 15:52:17
add: 92a89a79-6c52-4a7e-a03f-61306fc49312
Networke372f825-a257-4fb8-9175-797a8a8627d6[Deprecated]: RDP access from the Internet should be blockedThis policy is deprecated. This policy audits any network security rule that allows RDP access from Internet Default: Audit
Allowed: (Audit, Disabled)
2021-09-27 15:52:17
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
Monitoring32133ab0-ee4b-4b44-98d6-042180979d50[Preview]: Log Analytics Extension should be enabled for listed virtual machine imagesReports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Compute3d8640fc-63f6-4734-8dcb-cfd3d8c78f38[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMsThis policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExistsLog Analytics Contributor
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)
Monitoring842c54e8-c2f9-4d79-ae8d-38d8b8019373[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machinesThis policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Guest Configuration4078e558-bda6-41fb-9b3c-361e8875200dWindows machines should have Log Analytics agent installed on Azure ArcMachines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
add: 4078e558-bda6-41fb-9b3c-361e8875200d
Network2c89a2e5-7285-40fe-afe0-ae8654b92fab[Deprecated]: SSH access from the Internet should be blockedThis policy is deprecated. This policy audits any network security rule that allows SSH access from Internet Default: Audit
Allowed: (Audit, Disabled)
2021-09-27 15:52:17
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy - Configure Log Analytics extension to be enabled on Windows virtual machinesDeploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Security Centerbdc59948-5574-49b3-bb91-76b7c986428dAzure Defender for DNS should be enabledAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale setsDeploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Virtual Machine Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics extension for Linux VMs. See deprecation notice belowDeploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed: deployIfNotExistsLog Analytics Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cfConfigure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice belowEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics extension on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-27 15:52:17
change: Patch (7.0.0 > 7.0.1)
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine imagesReports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-09-27 15:52:17
change: Major, suffix remains equal (1.1.0-preview > 3.0.0-preview)
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice belowDeploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1)
Kubernetes13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759[Preview]: Kubernetes clusters should gate deployment of vulnerable imagesProtect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-27 15:52:17
add: 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759
Monitoringa70ca396-0a34-413a-88e1-b956c1e683beVirtual machines should have the Log Analytics extension installedThis policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-27 15:52:17
change: Patch (1.0.0 > 1.0.1)
Key Vault84d327c3-164a-4685-b453-900478614456[Preview]: Configure Azure Key Vault Managed HSM to disable public network accessDisable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Modify
Allowed: (Modify, Disabled)
Managed HSM contributor
2021-09-27 15:52:17
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Synapseac7891a4-ac7a-4ba0-9ae9-c923e5a225eeConfigure Synapse workspaces to have auditing enabledTo ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-09-27 15:52:17
change: Major (1.1.0 > 2.0.0)
Event Grid2dd0e8b9-4289-4bb0-b813-1883298e9924Configure Azure Event Grid partner namespaces to disable local authenticationDisable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor
2021-09-21 16:12:09
add: 2dd0e8b9-4289-4bb0-b813-1883298e9924
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-21 16:12:09
change: Major (3.0.1 > 4.0.0)
Kubernetes1ddac26b-ed48-4c30-8cc5-3a68c79b8001Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-editClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Disabled)
2021-09-21 16:12:09
add: 1ddac26b-ed48-4c30-8cc5-3a68c79b8001
Kubernetes245fc9df-fa96-4414-9a0b-3738c2f7341cResource logs in Azure Kubernetes Service should be enabledAzure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-21 16:12:09
add: 245fc9df-fa96-4414-9a0b-3738c2f7341c
Event Gridae9fb87f-8a17-4428-94a4-8135d431055cAzure Event Grid topics should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-21 16:12:09
add: ae9fb87f-8a17-4428-94a4-8135d431055c
Automation48c5f1cb-14ad-4797-8e3b-f78ab3f8d700Azure Automation account should have local authentication method disabledDisabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-21 16:12:09
add: 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-21 16:12:09
change: Patch (4.0.1 > 4.0.2)
Automation30d1d58e-8f96-47a5-8564-499a3f3cca81Configure Azure Automation account to disable local authenticationDisable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-09-21 16:12:09
add: 30d1d58e-8f96-47a5-8564-499a3f3cca81
Event Grid1c8144d9-746a-4501-b08c-093c8d29ad04Configure Azure Event Grid topics to disable local authenticationDisable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor
2021-09-21 16:12:09
add: 1c8144d9-746a-4501-b08c-093c8d29ad04
Event Grid8bfadddb-ee1c-4639-8911-a38cb8e0b3bdAzure Event Grid domains should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-21 16:12:09
add: 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd
Event Grid8632b003-3545-4b29-85e6-b2b96773df1eAzure Event Grid partner namespaces should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-21 16:12:09
add: 8632b003-3545-4b29-85e6-b2b96773df1e
Event Grid8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1Configure Azure Event Grid domains to disable local authenticationDisable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor
2021-09-21 16:12:09
add: 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-09-13 16:35:32
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)
Monitoring04d53d87-841c-4f23-8a5b-21564380b55eDeploy Diagnostic Settings for Service Bus to Log Analytics workspaceDeploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-09-13 16:35:32
change: Major (1.0.0 > 2.0.0)
Security Center2f47ec78-4301-4655-b78e-b29377030cdc[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agentConfigure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-09-13 16:35:32
add: 2f47ec78-4301-4655-b78e-b29377030cdc
Security Centere8794316-d918-4565-b57d-6b38a06381a0[Preview]: Azure Security agent should be installed on your Linux virtual machinesInstall the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: e8794316-d918-4565-b57d-6b38a06381a0
Security Center1f300abb-f5a0-41c3-a163-91bd3ed35de7[Preview]: Azure Security agent should be installed on your Linux Arc machinesInstall the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: 1f300abb-f5a0-41c3-a163-91bd3ed35de7
Security Centerbb2c6c6d-14bc-4443-bef3-c6be0adc6076[Preview]: Azure Security agent should be installed on your Windows virtual machinesInstall the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: bb2c6c6d-14bc-4443-bef3-c6be0adc6076
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor AgentConfigure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-09-13 16:35:32
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Security Center0961003e-5a0a-4549-abde-af6a37f2724dVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resourcesBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
change: Patch (2.0.1 > 2.0.2)
Security Center1537496a-b1e8-482b-a06a-1cc2415cdc7b[Preview]: Configure supported Windows machines to automatically install the Azure Security agentConfigure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-09-13 16:35:32
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Security Centere16f967a-aa57-4f5e-89cd-8d1434d0a29a[Preview]: Azure Security agent should be installed on your Windows virtual machine scale setsInstall the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: e16f967a-aa57-4f5e-89cd-8d1434d0a29a
Security Centerd01f3018-de9f-4d75-8dae-d12c1875da9f[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agentConfigure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-09-13 16:35:32
add: d01f3018-de9f-4d75-8dae-d12c1875da9f
Security Center6654c8c4-e6f8-43f8-8869-54327af7ce32[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agentConfigure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-09-13 16:35:32
add: 6654c8c4-e6f8-43f8-8869-54327af7ce32
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1bConfigure machines to receive a vulnerability assessment providerAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-09-13 16:35:32
change: Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview)
Security Center0367cfc4-90b3-46ba-a8a6-ddd5d3514878[Preview]: Azure Security agent should be installed on your Windows Arc machinesInstall the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: 0367cfc4-90b3-46ba-a8a6-ddd5d3514878
Security Center62b52eae-c795-44e3-94e8-1b3d264766fb[Preview]: Azure Security agent should be installed on your Linux virtual machine scale setsInstall the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-13 16:35:32
add: 62b52eae-c795-44e3-94e8-1b3d264766fb
Key Vault84d327c3-164a-4685-b453-900478614456[Preview]: Configure Azure Key Vault Managed HSM to disable public network accessDisable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Modify
Allowed: (Modify, Disabled)
Managed HSM contributor
2021-09-13 16:35:32
add: 84d327c3-164a-4685-b453-900478614456
Security Center808a7dc4-49f2-4e7b-af75-d14e561c244a[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agentConfigure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-09-13 16:35:32
add: 808a7dc4-49f2-4e7b-af75-d14e561c244a
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
App Service847ef871-e2fe-4e6e-907e-4adbf71de5cfApp Service app slots should have local authentication methods disabled for SCM site deploymentsDisabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-08 15:39:57
add: 847ef871-e2fe-4e6e-907e-4adbf71de5cf
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
App Serviceaede300b-d67f-480a-ae26-4b3dfb1a1fdcApp Service apps should have local authentication methods disabled for SCM site deploymentsDisabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-08 15:39:57
add: aede300b-d67f-480a-ae26-4b3dfb1a1fdc
App Service572e342c-c920-4ef5-be2e-1ed3c6a51dc5Configure App Service apps to disable local authentication for FTP deploymentsDisable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2021-09-08 15:39:57
add: 572e342c-c920-4ef5-be2e-1ed3c6a51dc5
Healthcare APIsfe1c9040-c46a-4e81-9aea-c7850fbb3aa6CORS should not allow every domain to access your FHIR ServiceCross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
2021-09-08 15:39:57
add: fe1c9040-c46a-4e81-9aea-c7850fbb3aa6
SignalR702133e5-5ec5-4f90-9638-c78e22f13b39Configure Azure SignalR Service to disable local authenticationDisable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. Default: Modify
Allowed: (Modify, Disabled)
SignalR/Web PubSub Contributor
2021-09-08 15:39:57
add: 702133e5-5ec5-4f90-9638-c78e22f13b39
App Service871b205b-57cf-4e1e-a234-492616998bf7App Service apps should have local authentication methods disabled for FTP deploymentsDisabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-08 15:39:57
add: 871b205b-57cf-4e1e-a234-492616998bf7
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
App Serviceec71c0bc-6a45-4b1f-9587-80dc83e6898cApp Service app slots should have local authentication methods disabled for FTP deploymentsDisabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-09-08 15:39:57
add: ec71c0bc-6a45-4b1f-9587-80dc83e6898c
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (5.0.0 > 5.0.1)
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
Bot Servicead5621d6-a877-4407-aa93-a950b428315eBotService resources should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Default: Audit
Allowed: (Audit, Disabled)
2021-09-08 15:39:57
add: ad5621d6-a877-4407-aa93-a950b428315e
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1)
Internet of Things672d56b3-23a7-4a3c-a233-b77ed7777518Azure IoT Hub should have local authentication methods disabled for Service ApisDisabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-09-08 15:39:57
add: 672d56b3-23a7-4a3c-a233-b77ed7777518
Internet of Things9f8ba900-a70f-486e-9ffc-faf907305376Configure Azure IoT Hub to disable local authenticationDisable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-09-08 15:39:57
add: 9f8ba900-a70f-486e-9ffc-faf907305376
App Service5e97b776-f380-4722-a9a3-e7f0be029e79Configure App Service apps to disable local authentication for SCM sitesDisable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2021-09-08 15:39:57
add: 5e97b776-f380-4722-a9a3-e7f0be029e79
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
SQLfd2d1a6e-6d95-4df2-ad00-504bf0273406Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
User Access Administrator
2021-09-08 15:39:57
change: Patch (1.0.0 > 1.0.1)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1)
App Service2c034a29-2a5f-4857-b120-f800fe5549aeConfigure App Service app slots to disable local authentication for SCM sitesDisable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2021-09-08 15:39:57
add: 2c034a29-2a5f-4857-b120-f800fe5549ae
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview)
Bot Service6a4e6f44-f2af-4082-9702-033c9e88b9f8Configure BotService resources to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-09-08 15:39:57
add: 6a4e6f44-f2af-4082-9702-033c9e88b9f8
Bot Service29261f8e-efdb-4255-95b8-8215414515d6Configure BotService resources with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-09-08 15:39:57
add: 29261f8e-efdb-4255-95b8-8215414515d6
App Servicef493116f-3b7f-4ab3-bf80-0c2af35e46c2Configure App Service app slots to disable local authentication for FTP deploymentsDisable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2021-09-08 15:39:57
add: f493116f-3b7f-4ab3-bf80-0c2af35e46c2
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1)
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extensionMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2021-08-30 14:27:30
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Security Center1f7c564c-0a90-4d44-b7e1-9d456cffaee8Endpoint protection should be installed on your machinesTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-30 14:27:30
add: 1f7c564c-0a90-4d44-b7e1-9d456cffaee8
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Key Vaultc26e4b24-cf98-4c67-b48b-5a25c4c69eb9Keys should not be active for longer than the specified number of daysSpecify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Security Center8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2Endpoint protection health issues should be resolved on your machinesResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-30 14:27:30
add: 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2
Key Vault152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0Key Vault keys should have an expiration dateCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2)
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Kubernetesa27c700f-8a22-44ec-961c-41625264370bKubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Key Vaultff25f3c8-b739-4538-9d07-3d6d25cfb255Keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vaultcee51871-e572-4576-855c-047c820360f0Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888fCertificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Key Vault75c4f823-d65c-4f29-a733-01d0077fdbcbKeys should be the specified cryptographic type RSA or ECSome applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
API Management7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2Configure API Management services to disable public network accessTo improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
API Management Service Contributor
2021-08-30 14:27:30
add: 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2
Key Vault82067dbb-e53b-4e06-b631-546d197452d9Keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vaultb0eb591a-5e70-4534-a8bf-04b9c489584aSecrets should have more than the specified number of days before expirationIf a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Key Vault75262d3e-ba4a-4f43-85f8-9f72c090e5e3Secrets should have content type setA content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vault12ef42cb-9903-4e39-9c26-422d29570417Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Key Vault98728c90-32c7-4049-8429-847dc0f4fe37Key Vault secrets should have an expiration dateSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bfCertificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0)
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (6.0.0 > 7.0.0)
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.1-preview > 3.0.1-preview)
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
2021-08-30 14:27:30
change: Major (1.0.0 > 2.0.0)
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installedMicrosoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Key Vault5ff38825-c5d8-47c5-b70e-069a21955146Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vault587c79fe-dd04-4a5e-9d0b-f89598c7261bKeys should be backed by a hardware security module (HSM)An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vault342e8053-e12e-4c44-be01-c3c2f318400fSecrets should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major (4.0.0 > 5.0.0)
Key Vault49a22571-d204-4c91-a7b6-09b1a586fbc9Keys should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-30 14:27:30
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)
API Managementdf73bd95-24da-4a4f-96b9-4e8b94b402bdAPI Management services should disable public network accessTo improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-30 14:27:30
add: df73bd95-24da-4a4f-96b9-4e8b94b402bd
SQLf4c68484-132f-41f9-9b6d-3e4b1cb55036Configure SQL servers to have auditing enabledTo ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-08-30 14:27:30
change: Major (2.0.0 > 3.0.0)
Key Vaulte8d99835-8a06-45ae-a8e0-87a91941ccfeSecrets should not be active for longer than the specified number of daysIf your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1)
Monitoring0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6Azure Monitor Private Link Scope should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-30 14:27:30
add: 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6
Security Center672fe5a1-2fcd-42d7-b85d-902b6e28c6ff[Preview]: Guest Attestation extension should be installed on supported Linux virtual machinesInstall Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Key Vaultd1d6d8bb-cc7c-420f-8c7d-6f6f5279a844[Preview]: Configure Azure Key Vault Managed HSM with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Managed HSM contributor
2021-08-23 14:26:16
add: d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844
Cognitive Servicescddd188c-4b82-4c48-a19d-ddf74ee66a01Cognitive Services should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Disabled)
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0)
Storagebfecdea6-31c4-4045-ad42-71b9dc87247dStorage account encryption scopes should use double encryption for data at restEnable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-23 14:26:16
add: bfecdea6-31c4-4045-ad42-71b9dc87247d
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage accounts should use customer-managed key for encryptionSecure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
2021-08-23 14:26:16
change: Patch (1.0.2 > 1.0.3)
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-08-23 14:26:16
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
Bot Serviceffea632e-4e3a-4424-bf78-10e179bb2e1aBot Service should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-23 14:26:16
add: ffea632e-4e3a-4424-bf78-10e179bb2e1a
Kubernetesa1840de2-8088-4ea8-b153-b4c723e9cb01Azure Kubernetes Service clusters should have Defender profile enabledMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
2021-08-23 14:26:16
add: a1840de2-8088-4ea8-b153-b4c723e9cb01
Cognitive Services037eea7a-bd0a-46c5-9a66-03aea78705d3Cognitive Services accounts should restrict network accessNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0)
Cognitive Servicesdb630ad5-52e9-4f4d-9c44-53912fe40053Configure Cognitive Services accounts with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Cognitive Services Contributor
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0)
Key Vault59fee2f4-d439-4f1b-9b9a-982e1474bfd8[Preview]: Azure Key Vault Managed HSM should use private linkPrivate link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Default: Audit
Allowed: (Audit, Disabled)
2021-08-23 14:26:16
add: 59fee2f4-d439-4f1b-9b9a-982e1474bfd8
Security Center6074e9a3-c711-4856-976d-24d51f9e065b[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
SQLc5a62eb0-c65a-4220-8a4d-f70dd4ca95ddConfigure Azure Defender to be enabled on SQL managed instancesEnable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0)
Key Vault19ea9d63-adee-4431-a95e-1913c6c1c75f[Preview]: Azure Key Vault Managed HSM should disable public network accessDisable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-23 14:26:16
add: 19ea9d63-adee-4431-a95e-1913c6c1c75f
Kubernetes64def556-fbad-4622-930e-72d1d5589bf5Configure Azure Kubernetes Service clusters to enable Defender profileMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2021-08-23 14:26:16
add: 64def556-fbad-4622-930e-72d1d5589bf5
Security Center95406fc3-1f69-47b0-8105-4c03b276ec5c[Preview]: Configure supported Linux virtual machines to automatically enable Secure BootConfigure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caCognitive Services accounts should disable public network accessDisabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-23 14:26:16
change: Major (1.0.1 > 2.0.0)
Security Center57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Centera21f8c92-9e22-4f09-b759-50500d1d2dda[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale setsInstall Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Cognitive Services47ba1dd7-28d9-4b07-a8d5-9813bed64e0cConfigure Cognitive Services accounts to disable public network accessDisable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Modify
Allowed: (Disabled, Modify)
Contributor
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0)
Monitoring0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6Azure Monitor Private Link Scope should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security.n/an/a
2021-08-16 16:08:10
remove: 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 (i)
Media Services8bfe3603-0888-404a-87ff-5c1b6b4cc5e3Azure Media Services accounts should disable public network accessDisabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-13 17:07:49
add: 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3
Kubernetes9f061a12-e40d-4183-a00e-171812443373Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-13 17:07:49
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
SQL0a370ff3-6cab-4e85-8995-295fd854c5b8SQL servers should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-13 17:07:49
add: 0a370ff3-6cab-4e85-8995-295fd854c5b8
SQLabda6d70-9778-44e7-84a8-06713e6db027Azure SQL Database should have Azure Active Directory Only Authentication enabledDisabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-13 17:07:49
add: abda6d70-9778-44e7-84a8-06713e6db027
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
2021-08-13 17:07:49
change: Major (6.1.0 > 7.0.0)
SQL78215662-041e-49ed-a9dd-5385911b3a1fAzure SQL Managed Instance should have Azure Active Directory Only Authentication enabledDisabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-13 17:07:49
add: 78215662-041e-49ed-a9dd-5385911b3a1f
SQLac01ad65-10e5-46df-bdd9-6b0cad13e1d2SQL managed instances should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-13 17:07:49
add: ac01ad65-10e5-46df-bdd9-6b0cad13e1d2
Kubernetes993c2fcd-2b29-49d2-9eb0-df2c3a730c32Azure Kubernetes Service Clusters should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-09 19:32:42
add: 993c2fcd-2b29-49d2-9eb0-df2c3a730c32
Batch1760f9d4-7206-436e-a28f-d9f3a5c8a227Azure Batch pools should have disk encryption enabledEnabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-08-09 19:32:42
add: 1760f9d4-7206-436e-a28f-d9f3a5c8a227
Batch6f68b69f-05fe-49cd-b361-777ee9ca7e35Batch accounts should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-09 19:32:42
add: 6f68b69f-05fe-49cd-b361-777ee9ca7e35
SignalRf70eecba-335d-4bbc-81d5-5b17b03d498fAzure SignalR Service should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-09 19:32:42
add: f70eecba-335d-4bbc-81d5-5b17b03d498f
Batch4dbc2f5c-51cf-4e38-9179-c7028eed2274Configure Batch accounts to disable local authenticationDisable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-08-09 19:32:42
add: 4dbc2f5c-51cf-4e38-9179-c7028eed2274
Container Registry524b0254-c285-4903-bee6-bb8126cde579Container registries should have exports disabledDisabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-08-09 19:32:42
add: 524b0254-c285-4903-bee6-bb8126cde579
SQLfd2d1a6e-6d95-4df2-ad00-504bf0273406Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
User Access Administrator
2021-08-09 19:32:42
add: fd2d1a6e-6d95-4df2-ad00-504bf0273406
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.1.0-preview)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)
Storage044985bb-afe1-42cd-8a36-9d5d42424537Storage account keys should not be expiredEnsure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-30 15:17:20
change: Major (2.0.0 > 3.0.0)
Security Centerb99b73e7-074b-4089-9395-b7236f094491Configure Azure Defender for Azure SQL database to be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: b99b73e7-074b-4089-9395-b7236f094491
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics extension on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-07-30 15:17:20
change: Major (1.2.0 > 2.0.0)
Security Center0a9fbe0d-c5c4-4da8-87d8-f4fd77338835Azure Defender for open-source relational databases should be enabledAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-30 15:17:20
add: 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
Backupdeeddb44-9f94-4903-9fa0-081d524406e3[Preview]: Azure Recovery Services vaults should use private link for backupAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-07-30 15:17:20
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center50ea7265-7d8c-429e-9a7d-ca1f410191c3Configure Azure Defender for SQL servers on machines to be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: 50ea7265-7d8c-429e-9a7d-ca1f410191c3
Security Center509122b9-ddd9-47ba-a5f1-d0dac20be63cDeploy Workflow Automation for Microsoft Defender for Cloud regulatory complianceEnable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0)
Security Centerb7021b2b-08fd-4dc0-9de7-3c6ece09faf9Configure Azure Defender for Resource Manager to be enabledAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: b7021b2b-08fd-4dc0-9de7-3c6ece09faf9
SQLf4c68484-132f-41f9-9b6d-3e4b1cb55036Configure SQL servers to have auditing enabledTo ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-07-30 15:17:20
change: Major (1.2.0 > 2.0.0)
Search76a56461-9dc0-40f0-82f5-2453283afa2fAzure Cognitive Search services should use customer-managed keys to encrypt data at restEnabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-30 15:17:20
add: 76a56461-9dc0-40f0-82f5-2453283afa2f
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Microsoft Defender for Cloud alertsEnable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0)
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Microsoft Defender for Cloud dataEnable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0)
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4Configure Dependency agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-07-30 15:17:20
change: Major (1.2.1 > 2.0.0)
Security Centerd3d1e68e-49d4-4b56-acff-93cef644b432[Deprecated]: Configure Azure Defender for container registries to be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: d3d1e68e-49d4-4b56-acff-93cef644b432
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Microsoft Defender for Cloud recommendationsEnable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0)
Security Centerb40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7dConfigure Azure Defender for App Service to be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d
SQL36d49e87-48c4-4f2e-beed-ba4ed02b71f5Configure Azure Defender to be enabled on SQL serversEnable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Fixed: DeployIfNotExistsSQL Security Manager
2021-07-30 15:17:20
change: Minor (2.0.0 > 2.1.0)
Backupaf783da1-4ad1-42be-800d-d19c70038820[Preview]: Configure Recovery Services vaults to use private DNS zones for backupUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-07-30 15:17:20
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Security Center1f725891-01c0-420a-9059-4fa46cb770b7Configure Azure Defender for Key Vaults to be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: 1f725891-01c0-420a-9059-4fa46cb770b7
Security Center8e86a5b6-b9bd-49d1-8e21-4bb8a0862222Configure Azure Defender for servers to be enabledAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222
Security Center2370a3c1-4a25-4283-a91a-c9c1a145fb2fConfigure Azure Defender for DNS to be enabledAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-07-30 15:17:20
add: 2370a3c1-4a25-4283-a91a-c9c1a145fb2f