Category | Id | DisplayName | Description | Effect | Roles used | Subject | Change | Date (UTC ymd) (i) | Type |
---|---|---|---|---|---|---|---|---|---|
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-12-04 18:38:36 | BuiltIn | |
Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated) | 2023-12-04 18:38:36 | BuiltIn | |
Event Grid | 67dcad1a-ec60-45df-8fd0-14c9d29eeaa2 | Azure Event Grid namespaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
Event Grid | cd8f7644-6fe8-4516-bded-0e465ead03ac | Azure Event Grid namespace MQTT broker should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
Azure Arc | 4c660f31-eafb-408d-a2b3-6ed2260bd26c | [Preview]: Deny Extended Security Updates (ESUs) license creation or modification. | This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
Guest Configuration | ec2c1bce-5ad3-4b07-bb4f-e041410cd8db | [Preview]: Nexus Compute Machines should meet Security Baseline | Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
Service Bus | cfb11c26-f069-4c14-8e36-56c394dae5af | Azure Service Bus namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
Event Grid | 1301a000-bc6b-4d90-8414-7091e3abdc40 | Azure Event Grid namespace topic broker should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
Azure Arc | 4864134f-d306-4ff5-94d8-ea4553b18c97 | [Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. | Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Guest Configuration Resource Contributor •Hybrid Server Resource Administrator |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
SQL | b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 | A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
Event Grid | cddcbb7e-a7b1-4380-b4d8-45cf77b0d561 | Configure Azure Event Grid namespace MQTT broker with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.2.0-preview > 1.2.1) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.0.1-preview > 1.0.2) | 2023-11-17 19:29:28 | BuiltIn |
Service Bus | 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e | Configure Azure Service Bus namespaces to disable local authentication | Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Service Bus Data Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Event Hubs Data Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn |
SQL | 40e85574-ef33-47e8-a854-7a65c7500560 | Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.1.0-preview > 1.1.1) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2023-11-17 19:29:28 | BuiltIn | |
Event Grid | 2b21ce34-9c45-4037-9c84-0ac0dbd0095f | Configure Azure Event Grid namespaces with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-11-17 19:29:28 | BuiltIn |
Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated) | 2023-11-14 18:14:48 | BuiltIn |
General | e624c84f-2923-4437-9fd9-4115c6da3888 | Configure subscriptions to set up preview features | This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn |
Kubernetes | ca8d5704-aa2b-40cf-b110-dc19052825ad | Kubernetes clusters should minimize wildcard use in role and cluster role | Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn | |
SQL Server | f692cc79-76fb-4c61-8861-467e454ac6f8 | Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Extension for SQL Server Deployment •Reader |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn |
Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-11-08 19:40:08 | BuiltIn |
Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.3 > 1.0.4) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
Security Center | 8ac833bd-f505-48d5-887e-c993a1d3eea0 | API endpoints in Azure API Management should be authenticated | API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc | [Preview]: Service Bus should be Zone Redundant | Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | 1bf67da8-b100-45bf-b89d-e4669fc54411 | [Preview]: Azure Cache for Redis should be Zone Redundant | Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Kubernetes | 5c345cdf-2049-47e0-b8fe-b0e96bc2df35 | Azure Kubernetes Service Clusters should enable cluster auto-upgrade | AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.2-preview > 1.0.3) | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | 9d2b0a20-57d6-474c-9d12-44a4a20999c6 | [Preview]: Container Registry should be Zone Redundant | Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-11-06 19:40:47 | BuiltIn | |
Security Center | c8acafaf-3d23-44d1-9624-978ef0f8652c | API endpoints that are unused should be disabled and removed from the Azure API Management service | As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | 85b005b2-95fc-4953-b9cb-f9ee6427c754 | [Preview]: Storage Accounts should be Zone Redundant | Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Kubernetes | a3dc4946-dba6-43e6-950d-f96532848c9f | Kubernetes clusters should ensure that the cluster-admin role is only used where required | The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5 | [Preview]: Azure Data Explorer Clusters should be Zone Redundant | Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | 42daa904-5969-47ef-92cb-b75df946195a | [Preview]: API Management Service should be Zone Redundant | API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if it's sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Resilience | 408934a8-941a-4c1e-ba88-dd035d9688f4 | [Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant | Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
SQL Server | 7148a409-0d59-4baa-925b-b3aae486a14e | [Preview]: Enable system-assigned identity to SQL VM | Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 40f1aee2-4db4-4b74-acb1-c6972e24cca8 | Configure Node OS Auto upgrade on Azure Kubernetes Cluster | Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-31 19:02:40 | BuiltIn |
Resilience | d3903bdf-ab85-4cce-85d3-2934d77629d4 | [Preview]: Virtual Machine Scale Sets should be Zone Resilient | Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (4.0.0 > 4.0.1) | 2023-10-31 19:02:40 | BuiltIn |
Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Synapse | c3624673-d2ff-48e0-b28c-5de1c6767c3c | Configure Synapse Workspaces to use only Microsoft Entra identities for authentication | Microsoft Entra-only authentication improves security by ensuring that Synapse Workspaces exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (2.0.3 > 2.0.4) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-31 19:02:40 | BuiltIn |
Resilience | 44c5a1f9-7ef6-4c38-880c-273e8f7a3c24 | [Preview]: Cosmos Database Accounts should be Zone Redundant | Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents customers from applying bad Pod Disruption Budgets. This policy relies on Gatekeeper data replication, and all ingress resources scoped to this policy will be synced into OPA. Please verify that the ingresses resources being synced won't overwhelm your memory capacity prior to assigning this policy. The policy parameters will evaluate only certain namespaces, but all resources of that kind in all namespaces will get synced. This policy is in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Kubernetes | 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 | [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure that Services in a namespace have unique selectors. This policy relies on Gatekeeper data replication and syncs all ingress resources into OPA. Prior to applying this policy, please confirm that syncing ingress resources won't exceed your memory capacity. The policy parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. This policy is currently in preview for Kubernetes Service (AKS) | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-10-31 19:02:40 | BuiltIn |
SQL | 78215662-041e-49ed-a9dd-5385911b3a1f | Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
Resilience | 42f4f3a2-7d20-4c13-a05d-01857a626c22 | [Preview]: Virtual Machines should be Zone Aligned | Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
Synapse | 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 | Synapse Workspaces should use only Microsoft Entra identities for authentication | Microsoft Entra-only authentication improves security by ensuring that Synapse Workspaces exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
SQL | abda6d70-9778-44e7-84a8-06713e6db027 | Azure SQL Database should have Microsoft Entra-only authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (2.0.1 > 2.0.3) | 2023-10-23 17:41:36 | BuiltIn |
Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.1 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn |
Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.0 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn |
Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview) | 2023-10-23 17:41:36 | BuiltIn |
General | 78460a36-508a-49a4-b2b2-2f5ec564f4bb | [Preview]: Do not allow deletion of resource types | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. | Default DenyAction Allowed DenyAction, Disabled |
add |
new Policy | 2023-10-23 17:41:36 | BuiltIn | |
Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration | AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn | |
Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2023-10-23 17:41:36 | BuiltIn | |
Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (4.1.0 > 4.1.1) | 2023-10-16 18:01:34 | BuiltIn | |
Guest Configuration | 828ba269-bf7f-4082-83dd-633417bc391d | Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines | Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-16 18:01:34 | BuiltIn |
Internet of Things | 43c323f6-0329-4f7c-a19a-6e5a5690d042 | Azure Device Update accounts should use customer-managed key to encrypt data at rest | Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-16 18:01:34 | BuiltIn | |
Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-10-16 18:01:34 | BuiltIn |
Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-09 18:04:57 | BuiltIn |
Network | Audit-PrivateLinkDnsZones | Audit the creation of Private Link Private DNS Zones | This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-05 18:01:59 | ALZ | |
App Configuration | b08ab3ca-1062-4db3-8803-eec9cae605d6 | App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-27 17:59:47 | BuiltIn | |
SQL | Deploy-SQL-minTLS | SQL servers deploys a specific min TLS version requirement. | Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Server Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
SQL | Deploy-SqlMi-minTLS | SQL managed instances deploy a specific min TLS version requirement. | Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Managed Instance Contributor |
change |
Minor (1.0.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
Monitoring | DenyAction-ActivityLogs | DenyAction implementation on Activity Logs | This is a DenyAction implementation policy on Activity Logs. | Fixed denyAction |
add |
new Policy | 2023-09-27 17:59:47 | ALZ | |
Storage | Deploy-Storage-sslEnforcement | Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS | Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Storage Account Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
SQL | Deploy-PostgreSQL-sslEnforcement | Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
Monitoring | DenyAction-DiagnosticLogs | DenyAction implementation on Diagnostic Logs. | DenyAction implementation on Diagnostic Logs. | Fixed denyAction |
add |
new Policy | 2023-09-27 17:59:47 | ALZ | |
App Configuration | 72bc14af-4ab8-43af-b4e4-38e7983f9a1f | Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-27 17:59:47 | BuiltIn |
Container Registry | 84497762-32b6-4ab3-80b6-732ea48b85a2 | Container registries should prevent cache rule creation | Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-09-27 17:59:47 | BuiltIn | |
Monitoring | Deploy-Diagnostics-CosmosDB | Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
SQL | Deploy-MySQL-sslEnforcement | Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
Kubernetes | 40f1aee2-4db4-4b74-acb1-c6972e24cca8 | Configure Node OS Auto upgrade on Azure Kubernetes Cluster | Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-22 17:59:46 | BuiltIn |
Kubernetes | 04408ca5-aa10-42ce-8536-98955cdddd4c | Azure Kubernetes Service Clusters should enable node os auto-upgrade | AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-09-22 17:59:46 | BuiltIn | |
App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-09-22 17:59:46 | BuiltIn |
App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2023-09-22 17:59:46 | BuiltIn | |
App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
Managed Identity | fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f | [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners | This policy limits federation with GitHub repos to only approved repository owners. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-22 17:59:46 | BuiltIn | |
App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (4.4.0-preview > 4.4.1) | 2023-09-18 18:02:04 | BuiltIn |
Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-18 18:02:04 | BuiltIn |
Kubernetes | af3c26b2-6fad-493e-9236-9c68928516ab | Azure Kubernetes Service Clusters should enable Image Cleaner | Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-09-18 18:02:04 | BuiltIn | |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (3.9.0-preview > 3.9.1) | 2023-09-18 18:02:04 | BuiltIn |
Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, old suffix: preview (2.2.0-preview > 2.2.1) | 2023-09-18 18:02:04 | BuiltIn |
Media Services | daccf7e4-9808-470c-a848-1c5b582a1afb | Azure Media Services content key policies should use token authentication | Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-18 18:02:04 | BuiltIn | |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (3.4.0-preview > 3.4.1) | 2023-09-18 18:02:04 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (3.1.0-preview > 3.1.1) | 2023-09-11 17:59:12 | BuiltIn |
Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Tags | 36fd7371-8eb7-4321-9c30-a7100022d048 | Requires resources to not have a specific tag. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-11 17:59:12 | BuiltIn | |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-09-11 17:59:12 | BuiltIn |
Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (3.1.0-preview > 3.1.1) | 2023-09-11 17:59:12 | BuiltIn |
Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) | 2023-09-01 18:00:13 | BuiltIn |
Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.0.2 > 1.1.0) | 2023-09-01 18:00:13 | BuiltIn |
Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (2.0.0 > 2.1.0) | 2023-09-01 18:00:13 | BuiltIn |
Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) | 2023-09-01 18:00:13 | BuiltIn |
Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-01 18:00:13 | BuiltIn |
Key Vault | a2a5b911-5617-447e-a49e-59dbe0e0434b | Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-28 18:00:34 | BuiltIn | |
Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-28 18:00:34 | BuiltIn |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2023-08-28 18:00:34 | BuiltIn |
ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2023-08-28 18:00:34 | BuiltIn |
Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-28 18:00:34 | BuiltIn |
Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-08-22 17:59:24 | BuiltIn |
Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Kubernetes | cf426bb8-b320-4321-8545-1b784a5df3a4 | [Image Integrity] Kubernetes clusters should only use images signed by notation | Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-22 17:59:24 | BuiltIn | |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (2.3.0 > 2.4.0) | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-08-11 17:58:20 | BuiltIn | |
Security Center | 640d2586-54d2-465f-877f-9ffc1d2109f4 | Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-11 17:58:20 | BuiltIn | |
Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.1 > 1.0.2) | 2023-08-11 17:58:20 | BuiltIn |
Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch (1.0.2 > 1.0.3) | 2023-08-11 17:58:20 | BuiltIn | |
Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-08-03 17:56:09 | BuiltIn | |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-03 17:56:09 | BuiltIn |
Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
Kubernetes | e1352e44-d34d-4e4d-a22e-451a15f759a1 | Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster | Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn |
Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-08-03 17:56:09 | BuiltIn |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
General | 16fabb5c-7379-4433-8009-042066fa3a16 | Exclude Usage Costs Resources | This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
General | 176b7c36-ac64-4f15-a296-50bd7fafab12 | Do Not Allow M365 resources | Block creation of M365 resources. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
Security Center | 8ac833bd-f505-48d5-887e-c993a1d3eea0 | API endpoints in Azure API Management should be authenticated | API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
App Service | 242222f3-4985-4e99-b5ef-086d6a6cb01c | Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
Guest Configuration | e79ffbda-ff85-465d-ab8e-7e58a557660f | [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
General | 335d919a-dc24-4a94-b7cb-9f81b1a8156f | Do Not Allow MCPP resources | Block creation of MCPP resources. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-08-03 17:56:09 | BuiltIn | |
App Service | cd794351-e536-40f4-9750-503a463d8cad | Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
Container Instance | 41ebf9df-66cb-48e9-a8d0-98afb4e150ce | Configure diagnostic settings for container groups to Log Analytics workspace | Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn |
Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-08-03 17:56:09 | BuiltIn |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
Kubernetes | 2cc2e023-0dac-4046-875b-178f683929d5 | Azure Kubernetes Service Clusters should enable workload identity | Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
App Service | 2374605e-3e0b-492b-9046-229af202562c | Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
Guest Configuration | 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 | [Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
Guest Configuration | 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
App Service | c6c3e00e-d414-4ca4-914f-406699bb8eee | Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-03 17:56:09 | BuiltIn |
Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
Security Center | c8acafaf-3d23-44d1-9624-978ef0f8652c | API endpoints that are unused should be disabled and removed from the Azure API Management service | As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview) | 2023-07-25 17:56:05 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview) | 2023-07-25 17:56:05 | BuiltIn |
Cost Optimization | Audit-AzureHybridBenefit | Audit AHUB for eligible VMs | Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-25 17:56:05 | ALZ | |
Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | Requires affinity rules to be set. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
Guest Configuration | 480d0f91-30af-4a76-9afb-f5710ac52b09 | Private endpoints for Guest Configuration assignments should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-07-24 17:56:14 | BuiltIn | |
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
Security Center | 766e621d-ba95-4e43-a6f2-e945db3d7888 | Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2023-07-24 17:56:14 | BuiltIn |
Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-07-24 17:56:14 | BuiltIn | |
Backup | d6f6f560-14b7-49a4-9fc8-d2c3a9807868 | [Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-24 17:56:14 | BuiltIn | |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview) | 2023-07-24 17:56:14 | BuiltIn |
Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) | 2023-07-24 17:56:14 | BuiltIn |
Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-07-14 17:56:09 | BuiltIn |
Compute | c3921d55-b741-4d16-8d56-7f16e99e6892 | Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. | When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-07-14 17:56:09 | BuiltIn |
Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-07-14 17:56:09 | BuiltIn |
Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-07-10 18:02:26 | BuiltIn |
SQL Managed Instance | 6599ab01-29bc-4852-a6f5-de9e2151714a | Transparent Data Encryption must be enabled for Arc SQL managed instances. | Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.1 > 1.0.2) | 2023-07-10 18:02:26 | BuiltIn |
Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-07-10 18:02:26 | BuiltIn |
Storage | 978deb5d-c9a7-41f8-b4b2-b76880d0de1f | Modify - Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview) | 2023-07-10 18:02:26 | BuiltIn |
SQL Managed Instance | bb3c7464-033e-41ee-81dc-480fde675b20 | TLS protocol 1.2 must be used for Arc SQL managed instances. | As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
SQL Managed Instance | 413923f0-ff16-41ae-8583-90c5c5d9fa8f | Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. | As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
Storage | c36a325b-ae04-4863-ad4f-19c6678f8e08 | Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
SQL | Deploy-Sql-vulnerabilityAssessments | [Deprecated]: Deploy SQL Database vulnerability Assessments | Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ |
2023-07-07 17:55:09 | ALZ |
Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-07-07 17:55:09 | ALZ | |
SQL | Deploy-Sql-vulnerabilityAssessments_20230706 | Deploy SQL Database Vulnerability Assessments | Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
add |
new Policy Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments) |
2023-07-07 17:55:09 | ALZ |
Backup | f19b0c83-716f-4b81-85e3-2dbf057c35d6 | [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-07-03 17:55:16 | BuiltIn |
Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-07-03 17:55:16 | BuiltIn | |
Backup | 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda | [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-07-03 17:55:16 | BuiltIn |
Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-06-26 17:52:13 | BuiltIn | |
Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-06-26 17:52:13 | BuiltIn | |
Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated) | 2023-06-26 17:52:13 | BuiltIn |
Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.1.0 > 8.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.1.0 > 5.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2023-06-26 17:52:13 | BuiltIn |
Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.1.0 > 1.2.0) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.1.0 > 5.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
Key Vault | d8cf8476-a2ec-4916-896e-992351803c44 | Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. | Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-06-26 17:52:13 | BuiltIn | |
Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-06-26 17:52:13 | BuiltIn | |
Storage | Deny-FileServices-InsecureAuth | File Services with insecure authentication methods should be denied | This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
SQL | Deny-PublicEndpoint-MariaDB | [Deprecated] Public network access should be disabled for MariaDB | This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn |
2023-06-20 20:17:42 | ALZ | |
Storage | Deny-FileServices-InsecureSmbChannel | File Services with insecure SMB channel encryption should be denied | This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Storage | Deny-FileServices-InsecureKerberos | File Services with insecure Kerberos ticket encryption should be denied | This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Network | Deny-UDR-With-Specific-NextHop | User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied | This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Storage | Deny-StorageAccount-CustomDomain | Storage Accounts with custom domains assigned should be denied | This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Storage | Deny-Storage-SFTP | Storage Accounts with SFTP enabled should be denied | This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Network | Deny-Subnet-Without-Penp | Subnets without Private Endpoint Network Policies enabled should be denied | This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Machine Learning | Deny-MachineLearning-PublicNetworkAccess | [Deprecated] Azure Machine Learning should have disabled public network access | Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html | Default Deny Allowed Audit, Disabled, Deny |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn |
2023-06-20 20:17:42 | ALZ | |
Storage | Deny-FileServices-InsecureSmbVersions | File Services with insecure SMB versions should be denied | This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-06-16 17:46:02 | BuiltIn |
Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-06-16 17:46:02 | BuiltIn |
Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (5.0.0 > 5.1.0) | 2023-06-16 17:46:02 | BuiltIn | |
App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated) | 2023-06-09 17:46:13 | BuiltIn | |
Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated) | 2023-06-09 17:46:13 | BuiltIn | |
App Service | 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba | App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2023-06-09 17:46:13 | BuiltIn | |
Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn |
Security Center | 13a6c84f-49a5-410a-b5df-5b880c3fe009 | [Preview]: Linux virtual machines should use only signed and trusted boot components | All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn | |
Backup | f19b0c83-716f-4b81-85e3-2dbf057c35d6 | [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn |
Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn |
Backup | 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda | [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn |
Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn | |
Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn | |
Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2023-06-06 18:29:21 | BuiltIn | |
Monitoring | Deploy-Diagnostics-Firewall | Deploy Diagnostic Settings for Firewall to Log Analytics workspace | Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-05-30 30:17:42 | ALZ |
Azure Databricks | 0eddd7f3-3d9b-4927-a07a-806e8ac9486c | Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-26 17:43:09 | BuiltIn |
Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2023-05-26 17:43:09 | BuiltIn |
Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-05-26 17:43:09 | BuiltIn |
Azure Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-26 17:43:09 | BuiltIn | |
Cosmos DB | 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 | Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-26 17:43:09 | BuiltIn | |
Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn | |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.3 > 4.0.4) | 2023-05-26 17:43:09 | BuiltIn |
Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn | |
Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-05-26 17:43:09 | BuiltIn |
Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-05-26 17:43:09 | BuiltIn |
Cosmos DB | dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 | Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Modify Allowed Modify, Disabled |
count: 001 •DocumentDB Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-26 17:43:09 | BuiltIn |
Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn |
Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
Monitoring | Deploy-Diagnostics-APIMgmt | Deploy Diagnostic Settings for API Management to Log Analytics workspace | Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-05-22 22:17:43 | ALZ |
App Service | Append-AppService-latestTLS | AppService append sites with minimum TLS version to enforce. | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. | Default Append Allowed Append, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 22:17:43 | ALZ | |
Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-22 17:43:18 | BuiltIn | |
Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
App Service | cca5adfe-626b-4cc6-8522-f5b6ed2391bd | Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn |
Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Azure Databricks | 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Security Center | a1181c5f-672a-477a-979a-7d58aa086233 | Security Center standard pricing tier should be selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn | |
Machine Learning | f59276f0-5740-4aaf-821d-45d185aa210e | Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Security Center | 090c7b07-b4ed-4561-ad20-e9075f3ccaff | Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-22 17:43:18 | BuiltIn | |
Machine Learning | 7804b5c7-01dc-4723-969b-ae300cc07ff1 | Azure Machine Learning Computes should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
Machine Learning | afe0c3be-ba3b-4544-ba52-0c99672a8ad6 | Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
App Service | 70adbb40-e092-42d5-a6f8-71c540a5efdb | Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn |
Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn |
Data Factory | 3d02a511-74e5-4dab-a5fd-878704d4a61a | [Preview]: Azure Data Factory pipelines should only communicate with allowed domains | To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2023-05-22 17:43:18 | BuiltIn | |
Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet | Default Deny Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-05-17 17:17:42 | ALZ | |
Azure Data Explorer | 8945ba5e-918e-4a57-8117-fe615d12e3ba | All Database Admin on Azure Data Explorer should be disabled | Disable all database admin role to restrict granting highly privileged/administrative user role. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-16 17:42:35 | BuiltIn | |
SQL | e27a6dfc-883f-4f9e-97cc-a819fe702400 | [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled | This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2023-05-16 17:42:35 | BuiltIn | |
Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | Running container images should have vulnerability findings resolved | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-16 17:42:35 | BuiltIn | |
Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-05-12 17:41:51 | BuiltIn |
Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-05-12 17:41:51 | BuiltIn |
Data Factory | 496ca26b-f669-4322-a1ad-06b7b5e41882 | Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Data Factory Contributor •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-12 17:41:51 | BuiltIn |
Security Center | 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 | Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-12 17:41:51 | BuiltIn | |
SQL Server | f36de009-cacb-47b3-b936-9c4c9120d064 | Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. | Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-05 17:42:17 | BuiltIn |
Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed deployIfNotExists |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-05-05 17:42:17 | BuiltIn |
Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | Requires affinity rules to be set. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 74c30959-af11-47b3-9ed2-a26e03f427a3 | Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
SQL | 40e85574-ef33-47e8-a854-7a65c7500560 | Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 829b40f3-d3db-4fd2-be46-76663d3aeeb2 | Function app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 | Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | Configure Azure Defender for DNS to be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
Security Center | 50ea7265-7d8c-429e-9a7d-ca1f410191c3 | Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.2 > 4.0.3) | 2023-05-01 17:41:52 | BuiltIn |
API Management | ffe25541-3853-4f4e-b71d-064422294b11 | API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | b99b73e7-074b-4089-9395-b7236f094491 | Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) | 2023-05-01 17:41:52 | BuiltIn | |
SQL | e27a6dfc-883f-4f9e-97cc-a819fe702400 | [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled | This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | aa633080-8b72-40c4-a2d7-d00c03e80bed | [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 9c014953-ef68-4a98-82af-fd0f6b2306c8 | App Service app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | f466b2a6-823d-470d-8ea5-b031e72d79ae | App Service app slots that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | [Deprecated]: Deprecated accounts should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | [Deprecated]: External accounts with read permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | e1d1b522-02b0-4d18-a04f-5ab62d20445f | Function app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | [Deprecated]: External accounts with write permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.1 > 3.2.1) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | e3576e28-8b17-4677-84c3-db2990658d64 | [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | c9ddb292-b203-4738-aead-18e2716e858f | Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn |
App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn |
App Service | 46dad49f-8945-44d7-9bb1-2e1542f627d3 | App Service app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | f8456c1c-aa66-4dfb-861a-25d127b775c9 | [Deprecated]: External accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Azure Defender for Key Vaults to be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
Security Center | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
Cache | Append-Redis-disableNonSslPort | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Append Allowed Append, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-25 25:17:42 | ALZ | |
Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
Security Center | af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 | Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data | Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-25 17:42:14 | BuiltIn |
Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-04-25 17:42:14 | BuiltIn |
Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
API Management | ffe25541-3853-4f4e-b71d-064422294b11 | API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn | |
Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-04-17 17:42:20 | BuiltIn |
Managed Grafana | 67529aa1-5285-4b1c-8e6f-5ccd861ac98e | Configure Azure Managed Grafana workspaces to disable public network access | Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn |
API Management | 1b0d74ac-4b43-4c39-a15f-594385adc38d | Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Modify Allowed Modify |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-04-17 17:42:20 | BuiltIn |
Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-04-17 17:42:20 | BuiltIn | |
SQL Server | f36de009-cacb-47b3-b936-9c4c9120d064 | Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. | Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn |
Network | Deny-RDP-From-Internet | [Deprecated] RDP access from the Internet should be blocked | This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated) Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ |
2023-04-17 17:17:42 | ALZ | |
SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2023-04-17 17:17:42 | ALZ |
Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.1.0 > 3.1.1) | 2023-04-11 17:42:55 | BuiltIn | |
Tags | 36fd7371-8eb7-4321-9c30-a7100022d048 | Requires resources to not have a specific tag. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
Network | cd6f7aff-2845-4dab-99f2-6d1754a754b0 | Deploy a flow log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-04-06 17:42:16 | BuiltIn |
Network | 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee | Flow logs should be configured for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 17:42:16 | BuiltIn |
Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
Network | 3e9965dc-cc13-47ca-8259-a4252fd0cf7b | Configure virtual network to enable traffic analytics | Traffic analytics can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the virtual network that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
Managed Identity | fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f | [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners | This policy limits federation with GitHub repos to only approved repository owners. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-04-06 17:42:16 | BuiltIn |
SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 17:42:16 | BuiltIn |
Managed Identity | ae62c456-33de-4dc8-b100-7ce9028a7d99 | [Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources | This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.2.0 > 2.3.0) | 2023-04-06 17:42:16 | BuiltIn |
Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.2.0 > 2.3.0) | 2023-04-06 17:42:16 | BuiltIn |
Managed Identity | 2571b7c3-3056-4a61-b00a-9bc5232234f5 | [Preview]: Managed Identity Federated Credentials should be from allowed issuer types | This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Network | 2f080164-9f4d-497e-9db6-416dc9f7b48a | Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
Network | 27960feb-a23c-4577-8d36-ef8b5f35e0be | All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2023-04-06 06:17:42 | ALZ |
Monitoring | Deploy-Diagnostics-WVDHostPools | Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-04-06 06:17:42 | ALZ |
Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-04-06 06:17:42 | ALZ | |
Compute | Deploy-Vm-autoShutdown | Deploy Virtual Machine Auto Shutdown Schedule | Deploys an auto shutdown schedule to a virtual machine | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2023-04-06 06:17:42 | ALZ |
Monitoring | Deploy-Diagnostics-VWanS2SVPNGW | Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-04-06 06:17:42 | ALZ |
Cost Optimization | Audit-Disks-UnusedResourcesCostOptimization | Unused Disks driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
Network | Deny-RDP-From-Internet | [Deprecated] RDP access from the Internet should be blocked | This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ |
2023-04-06 06:17:42 | ALZ | |
Monitoring | Deploy-Diagnostics-EventGridTopic | Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 06:17:42 | ALZ |
Network | Audit-PrivateLinkDnsZones | Audit the creation of Private Link Private DNS Zones | This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
Cost Optimization | Audit-PublicIpAddresses-UnusedResourcesCostOptimization | Unused Public IP addresses driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
Cost Optimization | Audit-ServerFarms-UnusedResourcesCostOptimization | Unused App Service plans driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
API Management | 1b0d74ac-4b43-4c39-a15f-594385adc38d | Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Modify Allowed Modify |
count: 001 •Contributor |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
Security Center | 74c30959-af11-47b3-9ed2-a26e03f427a3 | Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-03-31 17:44:15 | BuiltIn | |
Storage | 361c2074-3595-4e5d-8cab-4f21dffc835c | Deploy Defender for Storage (Classic) on storage accounts | This policy enables Defender for Storage (Classic) on storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
Cosmos DB | da69ba51-aaf1-41e5-8651-607cd0b37088 | Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Modify Allowed Modify, Disabled |
count: 002 •Contributor •DocumentDB Account Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
Security Center | 17bc14a7-92e1-4551-8b8c-80f36953e166 | Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management should disable public network access to the service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn | |
SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.3.0 > 3.4.0) | 2023-03-31 17:44:15 | BuiltIn |
Network | 4598f028-de1f-4694-8751-84dceb5f86b9 | Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable access to API Management public service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •API Management Service Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-31 17:44:15 | BuiltIn |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
Network | e52e8487-4a97-48ac-b3e6-1c3cef45d298 | Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-31 17:44:15 | BuiltIn | |
Network | 882e19a6-996f-400e-a30f-c090887254f4 | Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2023-03-31 17:44:15 | BuiltIn | |
Network | ca85ef9a-741d-461d-8b7a-18c2da82c666 | Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
Monitoring | cd906338-3453-47ba-9334-2d654bf845af | Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled | Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-31 17:44:15 | BuiltIn | |
Key Vault | 405c5871-3e91-4644-8a63-58e19d68ff5b | Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-31 17:44:15 | BuiltIn | |
Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn | |
Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (2.0.1 > 2.0.2) | 2023-03-27 17:43:07 | BuiltIn | |
Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn | |
Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Azure Databricks | 0eddd7f3-3d9b-4927-a07a-806e8ac9486c | Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
App Service | a08ae1ab-8d1d-422b-a123-df82b307ba61 | App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-27 17:43:07 | BuiltIn | |
Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
SignalR | 21a9766a-82a5-4747-abb5-650b6dbba6d0 | Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
Container Instances | 21c469fa-a887-4363-88a9-60bfd6911a15 | Configure diagnostics for container group to log analytics workspace | Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. | Default Append Allowed Append, Disabled |
add |
new Policy | 2023-03-17 18:44:06 | BuiltIn | |
API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-17 18:44:06 | BuiltIn | |
Machine Learning | 45e05259-1eb5-4f70-9574-baf73e9d219b | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-03-17 18:44:06 | BuiltIn | |
SignalR | 62a3ae95-8169-403e-a2d2-b82141448092 | Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.1 > 4.0.2) | 2023-03-17 18:44:06 | BuiltIn |
Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2023-03-17 18:44:06 | BuiltIn | |
Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-03-17 18:44:06 | BuiltIn | |
Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
Managed Grafana | bc33de80-97cd-4c11-b6b4-d075e03c7d60 | Configure Azure Managed Grafana dashboards with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
Azure Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn | |
Backup | 04726aae-4e8d-427c-af7d-ecf56d490022 | [Preview]: Configure Azure Recovery Services vaults to disable public network access | Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
Managed Grafana | 4c8537f8-cd1b-49ec-b704-18e82a42fd58 | Configure Azure Managed Grafana workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-03-03 18:43:58 | BuiltIn | |
SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.2.0 > 3.3.0) | 2023-03-03 18:43:58 | BuiltIn |
Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-03-03 18:43:58 | BuiltIn | |
Kubernetes | a8e653d9-b5d4-48a0-afe6-14d881f9ee9a | Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed | Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2023-03-03 18:43:58 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) | 2023-03-03 18:43:58 | BuiltIn |
Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn | |
Managed Grafana | 3a97e513-f75e-4230-8137-1efad4eadbbc | Azure Managed Grafana should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Azure Data Explorer | a47272e1-1d5d-4b0b-b366-4873f1432fe0 | Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SQL Server Contributor |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn |
Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change |
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) | 2023-02-27 19:03:54 | BuiltIn |
Azure Data Explorer | 7b32f193-cb28-4e15-9a98-b9556db0bafa | Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . | Default Modify Allowed Modify, Disabled |
count: 001 •SQL Server Contributor |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn |
Azure Data Explorer | 1fec9658-933f-4b3e-bc95-913ed22d012b | Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) | 2023-02-27 19:03:54 | BuiltIn | |
Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
Azure Data Explorer | 43bc7be6-5e69-4b0d-a2bb-e815557ca673 | Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn | |
Managed Grafana | e8775d5a-73b7-4977-a39b-833ef0114628 | Azure Managed Grafana workspaces should disable public network access | Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Azure Data Explorer | f7735886-8927-431f-b201-c953922512b8 | Azure Data Explorer cluster should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Automanage | fb97d6e1-5c98-4743-a439-23e0977bad9e | [Preview]: Boot Diagnostics should be enabled on virtual machines | Azure virtual machines should have boot diagniostics enabled. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
Monitoring | Deploy-Diagnostics-PostgreSQL | Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2023-02-23 23:18:45 | ALZ |
Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-02-23 23:18:45 | ALZ |
Automanage | e4953962-5ae4-43eb-bb92-d66fd5563487 | [Preview]: A managed identity should be enabled on your machines | Resources managed by Automanage should have a managed identity. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Desktop Virtualization | 87ac3038-c07a-4b92-860d-29e270a4f3cd | Azure Virtual Desktop workspaces should disable public network access | Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Desktop Virtualization | ca950cd7-02f7-422e-8c23-91ff40f169c1 | Azure Virtual Desktop service should use private link | Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) | 2023-02-16 18:41:08 | BuiltIn | |
Desktop Virtualization | 2a0913ff-51e7-47b8-97bb-ea17127f7c8d | Configure Azure Virtual Desktop hostpools to disable public network access | Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 | Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (3.0.1 > 3.1.0) | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | 7b331e6b-6096-4395-a754-758a64505f19 | Configure Azure Virtual Desktop hostpools with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | 02aa841c-42e8-492f-a43d-1f2c67e58d41 | Configure Azure Virtual Desktop workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | a22065a3-3b04-46ff-b84c-2d30e5c300d0 | Azure Virtual Desktop hostpools should disable public network access only on session hosts | Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Desktop Virtualization | 34804460-d88b-4922-a7ca-537165e060ed | Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | 9427df23-0f42-4e1e-bf99-a6133d841c4a | Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Automanage | fd4726f4-a5fc-4540-912d-67c96fc992d5 | [Preview]: Automanage Configuration Profile Assignment should be Conformant | Resources managed by Automanage should have a status of Conformant or ConformantCorrected. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Desktop Virtualization | ce6ebf1d-0b94-4df9-9257-d8cacc238b4f | Configure Azure Virtual Desktop workspaces to disable public network access | Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Workspace Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) | 2023-02-16 18:41:08 | BuiltIn | |
Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Minor (3.0.1 > 3.1.0) | 2023-02-16 18:41:08 | BuiltIn |
Desktop Virtualization | c25dcf31-878f-4eba-98eb-0818fdc6a334 | Azure Virtual Desktop hostpools should disable public network access | Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
Monitoring | Deploy-Diagnostics-VNetGW | Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2023-02-16 16:18:41 | ALZ |
Monitoring | Deploy-Diagnostics-Website | Deploy Diagnostic Settings for App Service to Log Analytics workspace | Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-02-16 16:18:41 | ALZ |
Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 50cebe4c-8021-4f07-bcb2-6c80622444a9 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6b359d8f-f88d-4052-aa7c-32015963ecc1 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | ed6ae75a-828f-4fea-88fd-dead1145f1dd | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | b88bfd90-4da5-43eb-936f-ae1481924291 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 | Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 69ab8bfc-dc5b-443d-93a7-7531551dec66 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f8352124-56fa-4f94-9441-425109cdc14b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 1513498c-3091-461a-b321-e9b433218d28 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 9f4e810a-899e-4e5e-8174-abfcf15739a3 | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f969646f-b6b8-45a0-b736-bf9b4bb933dc | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | b797045a-b3cd-46e4-adc4-bbadb3381d78 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 93a604fe-0ec2-4a99-ab8c-7ef08f05555a | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 106cd3bd-50a1-466c-869f-f9c2d310477b | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 8656d368-0643-4374-a63f-ae0ed4da1d9a | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 69214fad-6742-49a9-8f71-ee9d269364ab | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 818719e5-1338-4776-9a9d-3c31e4df5986 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 20f21bc7-b0b8-4d57-83df-5a8a0912b934 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 07c818eb-df75-4465-9233-6a8667e86670 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f08edf17-5de2-4966-8c62-a50a3f4368ff | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 4b05de63-3ad2-4f6d-b421-da21f1328f3b | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn | |
Monitoring | b90ec596-faa6-4c61-9515-34085703e260 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f873a711-0322-4744-8322-7e62950fbec2 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 567c93f7-3661-494f-a30f-0a94d9bfebf8 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | bf6af3d2-fbd5-458f-8a40-2556cf539b45 | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 03a087c0-b49f-4440-9ae5-013703eccc8c | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 55d1f543-d1b0-4811-9663-d6d0dbc6326d | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 94d707a8-ce27-4851-9ce2-07dfe96a095b | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | e20f31d7-6b6d-4644-962a-ae513a85ab0b | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | b4a9c220-1d62-4163-a17b-30db7d5b7278 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | fe85de62-a656-4b79-9d94-d95c89319bd9 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 14e81583-c89c-47db-af0d-f9ddddcccd9f | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | edf35972-ed56-4c2f-a4a1-65f0471ba702 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 3496f6fd-57ba-485c-8a14-183c4493b781 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0925a080-ab8d-44a1-a39c-61e184b4d8f9 | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 39741c6f-5e8b-4511-bba4-6662d0e0e2ac | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 56288eb2-4350-461d-9ece-2bb242269dce | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | aec4c33f-2f2a-4fd3-91cd-24a939513c60 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 34c7546c-d637-4b5d-96ab-93fb6ed07af8 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
SQL | b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 | A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn | |
Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 90c90eda-bfe7-4c67-bf26-410420ed1047 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | d3e11828-02c8-40d2-a518-ad01508bb4d7 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 614d9fbd-68cd-4832-96db-3362069661b2 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6567d3f3-42d0-4cfb-9606-9741ba60fa07 | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a8de4d0a-d637-4684-b70e-6df73b74d117 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | d147ba9f-3e17-40b1-9c23-3bca478ba804 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-02-10 18:41:56 | BuiltIn | |
Monitoring | 46b2dd5d-3936-4347-8908-b298ea4466d3 | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 441af8bf-7c88-4efc-bd24-b7be28d4acce | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0e0c742d-5031-4e65-bf96-1bee7cf55740 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 0da6faeb-d6c6-4f6e-9f49-06277493270b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | e9c56c41-d453-4a80-af93-2331afeb3d82 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6f3f5778-f809-4755-9d8f-bd5a5a7add85 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | be9259e2-a221-4411-84fd-dd22c6691653 | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | c3b912c2-7f5b-47ac-bd52-8c85a7667961 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | fc66c506-9397-485e-9451-acc1525f0070 | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 00ec9865-beb6-4cfd-82ed-bd8f50756acd | Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
Monitoring | 3dd58519-427e-42a4-8ffc-e415a3c716f1 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-02-10 18:41:56 | BuiltIn | |
Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.1.0 > 2.2.0) | 2023-02-03 18:39:01 | BuiltIn |
Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.2.1) | 2023-02-03 18:39:01 | BuiltIn | |
Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-02-03 18:39:01 | BuiltIn |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2023-02-03 18:39:01 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2023-02-03 18:39:01 | BuiltIn |
Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2023-02-03 18:39:01 | BuiltIn | |
Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.1.0 > 2.2.0) | 2023-02-03 18:39:01 | BuiltIn |
Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2023-02-03 18:39:01 | BuiltIn | |
Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-02-03 18:39:01 | BuiltIn |
SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2023-01-27 18:40:07 | BuiltIn | |
Key Vault | 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 | [Preview]: Azure Key Vault should use RBAC permission model | Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-27 18:40:07 | BuiltIn | |
API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-27 18:40:07 | BuiltIn | |
SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.1.0 > 3.2.0) | 2023-01-27 18:40:07 | BuiltIn |
Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2023-01-27 18:40:07 | BuiltIn |
Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-01-27 18:40:07 | BuiltIn |
Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-01-27 18:40:07 | BuiltIn |
Machine Learning | Deny-MachineLearning-PublicAccessWhenBehindVnet | Deny public access behind vnet to Azure Machine Learning workspace | Deny public access behind vnet to Azure Machine Learning workspaces. | Default Deny Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-24 24:18:06 | ALZ | |
Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2023-01-23 18:07:09 | BuiltIn |
Backup | 2514263b-bc0d-4b06-ac3e-f262c0979018 | [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-01-23 18:07:09 | BuiltIn | |
Key Vault | 9d4fad1f-5189-4a42-b29e-cf7929c6b6df | Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Key Vault Contributor •Network Contributor |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn |
Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn | |
Backup | 9798d31d-6028-4dee-8643-46102185c016 | [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-01-23 18:07:09 | BuiltIn | |
Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-23 18:07:09 | BuiltIn |
Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-01-23 18:07:09 | BuiltIn | |
Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn |
Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-23 18:07:09 | BuiltIn | |
Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
Machine Learning | ee40564d-486e-4f68-a5ca-7a621edae0fb | Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-13 18:06:06 | BuiltIn |
Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
Service Bus | cbd11fd3-3002-4907-b6c8-579f0e700e13 | Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2023-01-13 18:06:06 | BuiltIn |
Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-13 18:06:06 | BuiltIn | |
Backup | 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 | [Preview]: Azure Recovery Services vaults should disable public network access | Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
Web PubSub | b66ab71c-582d-4330-adfd-ac162e78691e | Azure Web PubSub Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2023-01-13 18:06:06 | BuiltIn | |
Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-01-13 18:06:06 | BuiltIn |
Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
Web PubSub | 17f9d984-90c8-43dd-b7a6-76cb694815c1 | Configure Azure Web PubSub Service to disable local authentication | Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn |
Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn |
Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-13 18:06:06 | BuiltIn |
Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL DB Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2023-01-13 18:06:06 | BuiltIn |
Event Hub | 0602787f-9896-402a-a6e1-39ee63ee435e | Event Hub Namespaces should disable public network access | Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-04 18:03:56 | BuiltIn |
Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-01-04 18:03:56 | BuiltIn |
SQL | Deploy-Sql-vulnerabilityAssessments | [Deprecated]: Deploy SQL Database vulnerability Assessments | Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
change |
Patch (1.0.0 > 1.0.1) Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ |
2023-01-04 04:18:03 | ALZ |
Security Center | Deploy-ASC-SecurityContacts | Deploy Microsoft Defender for Cloud Security Contacts | Deploy Microsoft Defender for Cloud Security Contacts | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor (1.0.0 > 1.1.0) | 2022-12-28 28:18:06 | ALZ |
Security Center | 8893442c-e7cb-4637-bab8-299a5d4ed96a | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | a7acfae7-9497-4a3f-a3b5-a16a50abbe2f | [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-12-21 17:43:51 | BuiltIn |
Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-12-21 17:43:51 | BuiltIn |
App Service | f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 | App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Machine Learning | f59276f0-5740-4aaf-821d-45d185aa210e | Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Machine Learning | afe0c3be-ba3b-4544-ba52-0c99672a8ad6 | Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change |
Patch (2.0.0 > 2.0.1) | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5192 | [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-12-21 17:43:51 | BuiltIn | |
Kubernetes | c5110b6e-5272-4989-9935-59ad06fdf341 | Azure Kubernetes Clusters should enable Container Storage Interface(CSI) | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (2.0.1-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | 8fd85785-1547-4a4a-bf90-d5483c9571c5 | [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-12-21 17:43:51 | BuiltIn | |
Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | bef2d677-e829-492d-9a3d-f5a20fda818f | [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | 1142b015-2bd7-41e0-8645-a531afe09a1e | [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Guest Configuration | 5fe81c49-16b6-4870-9cee-45d13bf902ce | Local authentication methods should be disabled on Windows Servers | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
ChangeTrackingAndInventory | 4485d24b-a9d3-4206-b691-1fad83bc5007 | [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (2.1.1-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | ef9fe2ce-a588-4edd-829c-6247069dcfdb | [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
App Service | 801543d1-1953-4a90-b8b0-8cf6d41473a5 | App Service apps should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
App Service | a691eacb-474d-47e4-b287-b4813ca44222 | App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d00 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
App Service | 5747353b-1ca9-42c1-a4dd-b874b894f3d4 | App Service app slots should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-12-21 17:43:51 | BuiltIn |
Security Center | 221aac80-54d8-484b-83d7-24f4feac2ce0 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
Security Center | e71c1e29-9c76-4532-8c4b-cb0573b0014c | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
ChangeTrackingAndInventory | b6faa975-0add-4f35-8d1c-70bba45c4424 | [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
Monitoring | Deploy-Diagnostics-DataFactory | Deploy Diagnostic Settings for Data Factory to Log Analytics workspace | Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-12-16 16:17:44 | ALZ |
Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed deployIfNotExists |
count: 002 •Monitoring Contributor •Storage Account Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2022-12-09 17:45:23 | BuiltIn |
SQL | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-12-09 17:45:23 | BuiltIn | |
Monitoring | Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace | Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-11-22 22:17:43 | ALZ |
Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-11-21 21:17:43 | ALZ |
SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Minor (1.0.0 > 1.1.0) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2022-11-17 17:17:42 | ALZ |
SQL | Deploy-Sql-SecurityAlertPolicies | Deploy SQL Database security Alert Policies configuration with email admin accounts | Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Minor (1.0.0 > 1.1.1) | 2022-11-17 17:17:42 | ALZ |
Network | Deny-PublicIP | [Deprecated] Deny the creation of public IP | [Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters. | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Not allowed resource types (6c112d4e-5bc7-47ae-a041-ea2d9dccd749) BuiltIn |
2022-11-14 14:17:43 | ALZ | |
Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-11-04 17:41:52 | BuiltIn | |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-11-04 17:41:52 | BuiltIn |
Security Center | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-11-04 17:41:52 | BuiltIn | |
Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-11-04 17:41:52 | BuiltIn |
Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2022-11-04 17:41:52 | BuiltIn |
Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-11-04 17:41:52 | BuiltIn |
Network | Deploy-DDoSProtection | Deploy an Azure DDoS Network Protection | Deploys an Azure DDoS Network Protection | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-11-03 03:17:41 | ALZ |
Monitoring | Deploy-Nsg-FlowLogs | [Deprecated] Deploys NSG flow logs and traffic analytics | [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn |
2022-11-02 02:17:41 | ALZ |
Monitoring | Deploy-Nsg-FlowLogs-to-LA | [Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics | [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 005 •Contributor •Log Analytics Contributor •Network Contributor •Storage Account Contributor •Storage Account Key Operator Service Role |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn |
2022-11-02 02:17:41 | ALZ |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-10-28 16:42:53 | BuiltIn |
Automation | dea83a72-443c-4292-83d5-54a2f98749c0 | Automation Account should have Managed Identity | Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-28 16:42:53 | BuiltIn |
Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-10-28 16:42:53 | BuiltIn | |
Monitoring | Deploy-Diagnostics-AA | Deploy Diagnostic Settings for Automation to Log Analytics workspace | Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-iotHub | Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace | Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-NIC | Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace | Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Relay | Deploy Diagnostic Settings for Relay to Log Analytics workspace | Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Firewall | Deploy Diagnostic Settings for Firewall to Log Analytics workspace | Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-VNetGW | Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-WVDAppGroup | Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace | Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.1) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-PostgreSQL | Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-MariaDB | Deploy Diagnostic Settings for MariaDB to Log Analytics workspace | Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-ExpressRoute | Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace | Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-DataFactory | Deploy Diagnostic Settings for Data Factory to Log Analytics workspace | Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Website | Deploy Diagnostic Settings for App Service to Log Analytics workspace | Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-AVDScalingPlans | Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace | Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-HDInsight | Deploy Diagnostic Settings for HDInsight to Log Analytics workspace | Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-LoadBalancer | Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace | Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-LogicAppsISE | Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-WebServerFarm | Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace | Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-WVDHostPools | Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-EventGridTopic | Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-EventGridSystemTopic | Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-TrafficManager | Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace | Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-VM | Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-CDNEndpoints | Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace | Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-VMSS | Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-SignalR | Deploy Diagnostic Settings for SignalR to Log Analytics workspace | Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-MySQL | Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace | Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-DLAnalytics | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Bastion | Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace | Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-ApplicationGateway | Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace | Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-Function | Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace | Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-ACR | Deploy Diagnostic Settings for Container Registry to Log Analytics workspace | Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-CosmosDB | Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-TimeSeriesInsights | Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace | Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-AnalysisService | Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace | Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-SQLElasticPools | Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace | Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-ApiForFHIR | Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace | Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-RedisCache | Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace | Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-WVDWorkspace | Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace | Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.1) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-FrontDoor | Deploy Diagnostic Settings for Front Door to Log Analytics workspace | Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-NetworkSecurityGroups | Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-DataExplorerCluster | Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace | Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-PowerBIEmbedded | Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace | Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-APIMgmt | Deploy Diagnostic Settings for API Management to Log Analytics workspace | Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-ACI | Deploy Diagnostic Settings for Container Instances to Log Analytics workspace | Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-CognitiveServices | Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace | Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-MediaService | Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-SQLMI | Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace | Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-VirtualNetwork | Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace | Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
Monitoring | Deploy-Diagnostics-MlWorkspace | Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace | Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |