last sync: 2024-Apr-24 17:46:58 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Change Date (UTC ymd) (i) Type
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Communication bcff6755-335b-484d-b435-d1161db39cdc Communication service resource should use a managed identity Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Communication 93c45b74-42a1-4967-b25d-82c4dc630921 Communication service resource should use allow listed data location Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.2.0 > 1.3.0) 2024-04-22 16:32:55 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
System Policy 0e7201a7-b325-480a-907d-5f198e95e1d3 [Deprecated]: The resource name should follow naming conventions in the region. The policy defines the naming conventions for the specified resource types in the specified regions Fixed
deny
add
new Policy 2024-04-22 16:32:55 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2024-04-22 16:32:55 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services 55eff01b-f2bd-4c32-9203-db285f709d30 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.4.0 > 4.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-04-12 17:45:57 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2024-04-12 17:45:57 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2024-04-12 17:45:57 BuiltIn
Security Center 3d5ed4c2-5e50-4c76-932b-8982691b68ae Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services d45520cb-31ca-44ba-8da2-fcf914608544 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
Search Service Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) 2024-04-08 17:52:20 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Security Center 0b15565f-aa9e-48ba-8619-45960f2c314d Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.1 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.1 > 1.1.2) 2024-03-29 18:59:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.2.0 > 6.3.0) 2024-03-29 18:59:24 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-29 18:59:24 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.1.0 > 6.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
DevCenter ece3c79b-2caf-470d-a5f5-66470c4fc649 [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. Disallows the use of Microsoft Hosted Networks when creating Pool resources. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Backup d6588149-9f06-462c-a076-56aece45b5ba [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-25 19:17:21 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-03-15 22:15:34 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (2.0.4 > 2.1.0) 2024-03-15 22:15:34 BuiltIn
Trusted Launch b03bb370-5249-4ea4-9fce-2552e87e45fa Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 1b4d1c4e-934c-4703-944c-27c82c06bebb Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Cache 766f5de3-c6c0-4327-9f4d-042ab8ae846c Configure Azure Cache for Redis to disable non SSL ports Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Modify
Allowed
Modify, Disabled
count: 001
Redis Cache Contributor
add
new Policy 2024-03-11 18:31:50 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (4.0.1 > 4.1.0) 2024-03-11 18:31:50 BuiltIn
Trusted Launch c95b54ad-0614-4633-ab29-104b01235cbf Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.6.0 > 3.7.0) 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-11 18:31:50 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.7.0 > 4.8.0) 2024-03-11 18:31:50 BuiltIn
Stack HCI ee8ca833-1583-4d24-837e-96c2af9488a4 [Preview]: Azure Stack HCI systems should have encrypted volumes Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI dad3a6b9-4451-492f-a95c-69efc6f3fada [Preview]: Azure Stack HCI servers should have consistently enforced application control policies At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (1.1.0 > 1.2.0) 2024-03-01 17:50:27 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI 36f0d6bc-a253-4df8-b25b-c3a5023ff443 [Preview]: Host and VM networking should be protected on Azure Stack HCI systems Protect data on the Azure Stack HCI hosts network and on virtual machine network connections. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network 45c4e9bd-ad6b-4634-9566-c2dad2f03cbf SIM Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network 7508b186-60e2-4518-bf70-3d7fbaba1f3a Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI 5e6bf724-0154-49bc-985f-27b2e07e636b [Preview]: Azure Stack HCI servers should meet Secured-core requirements Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network aec63c84-f9ea-46c7-9e66-ba567bae0f09 Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.0.1 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 41a72361-06e3-4e80-832a-690bd0708bc1 Configure Storage Accounts to restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Modify
Allowed
Modify, Disabled
count: 001
Storage Account Contributor
add
new Policy 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Minor (4.0.4 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
System Policy b86dabb9-b578-4d7b-b842-3b45e95769a1 Allowed resource deployment regions This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support. Fixed
deny
add
new Policy 2024-02-27 19:10:20 BuiltIn
Healthcare APIs c42dee8c-0202-4a12-bd8e-3e171cbf64dd FHIR Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 7809fda1-ba27-48c1-9c63-1f5aee46ba89 Storage Accounts should restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
Healthcare APIs 14961b63-a1eb-4378-8725-7e84ca8db0e6 DICOM Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.0.0 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Resilience 493c215d-2554-5976-bc81-57d2c04fc8c1 [Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92fb-b75df946195a [Preview]: Container App should be Zone Redundant Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.0 > 6.2.0) 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-02-20 22:44:08 BuiltIn
Resilience 4bd1f3c0-9443-49ad-b8bc-7c17a92b5924 [Preview]: Backup Vaults should be Zone Redundant Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.1.1 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Patch, new suffix: deprecated (3.4.0 > 3.4.1-deprecated) 2024-02-20 22:44:08 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.3-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience bf45a74c-ed4f-4300-8afe-d6f0abdfe75b [Preview]: Azure HDInsight should be Zone Aligned Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.5.0 > 3.6.0) 2024-02-20 22:44:08 BuiltIn
Resilience 682e4ab9-59fe-4871-9839-265b54c568c4 [Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience 493c215d-2553-4976-bc81-57d2c04fc8c1 [Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff91b [Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 493c215c-0553-4976-bc81-57d2c04fc8c1 [Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.5.0 > 4.7.0) 2024-02-20 22:44:08 BuiltIn
Resilience ae243d87-5cf3-4dce-90bd-6d62be328de3 [Preview]: Backup and Site Recovery should be Zone Redundant Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff919 [Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 90bc8109-d21a-4692-88fc-51419391da3d [Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 42daa901-5969-47ef-92cb-b75df946195a [Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience f58e8c0a-3c79-431a-abf8-cd1b895478e8 [Preview]: Container Instances should be Zone Aligned Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Monitoring 3aa571d2-2e4f-4e92-8a30-4312860efbe1 Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Backup 0b0434ec-2bad-4229-965f-bb7ae5a71257 [Preview]: Azure Backup should be enabled for AKS clusters Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch, old suffix: preview (2.1.0-preview > 2.1.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 45c6bfc7-4520-4d64-a158-730cd92eedbc Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 6bb23bce-54ea-4d3d-b07d-628ce0f2e4e3 Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Backup 4510daf9-5abc-4d7d-a11d-d84416b814f6 [Preview]: Azure Backup should be enabled for Blobs in Storage Accounts Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring c0d8e23a-47be-4032-961f-8b0ff3957061 Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Monitoring 6f95136f-6544-4722-a354-25a18ddb18a7 Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-02-13 19:27:15 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Security Center da56d295-2889-41ce-a4cd-6f50fb93aa68 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center d38668f5-d155-42c7-ab3d-9b57b50f8fbf Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers Audit PostgreSQL flexible servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring e9c22e0d-1f03-44da-a9d5-a9754ea53dc4 Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center f9e2bd2f-47c7-4059-8265-c5292aa62c8a Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Backup fda9cd0b-094c-4cd5-ac2a-5e06e5277c45 [Preview]: Azure Backup Extension should be installed in AKS clusters Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Backup a25a41a7-a769-4271-841d-7ce0297be0c0 [Preview]: Azure Backup should be enabled for Managed Disks Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-02-13 19:27:15 BuiltIn
Security Center 48666c5d-cec1-4043-ab6b-1be05abb24f2 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2024-02-13 19:27:15 BuiltIn
Monitoring a4490248-cb97-4504-b7fb-f906afdb7437 Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring cdd1dbc6-0004-4fcd-afd7-b67550de37ff Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2024-02-05 19:33:54 ALZ
Security Center Deploy-MDFC-SQL-AMA Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights Deploy User Assigned Managed Identity for VM Insights Create and assign a User Assigned Managed Identity to Virtual Machines for VM Insights Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Security Center 5eb6d64a-4086-4d7a-92da-ec51aed0332d Configure Microsoft Defender for Servers plan New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center 72f8cee7-2937-403d-84a1-a4e3e57f3c21 Configure Microsoft Defender CSPM plan Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Monitoring Deploy-Diagnostics-MariaDB [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-01-31 19:57:15 ALZ
Security Center efd4031d-b232-4595-babf-ae817348e91b Configure Microsoft Defender for Containers plan New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
Patch (2.1.0 > 2.1.1)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2024-01-31 19:57:15 ALZ
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-Arc-SQL-DCR-Association Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2024-01-31 19:57:15 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Synapse 6ea81a52-5ca7-4575-9669-eaa910b7edf8 Synapse Workspaces should have Microsoft Entra-only authentication enabled Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (3.9.1 > 3.10.0) 2024-01-24 19:15:51 BuiltIn
SQL 0c28c3fb-c244-42d5-a9bf-f35f2999577b Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
SQL b3a22bc9-66de-45fb-98fa-00f5df42f41a Azure SQL Database should have Microsoft Entra-only authentication enabled Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Backup c7031eab-0fc0-4cd9-acd0-4497bd66d91a [Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.4.1 > 3.5.0) 2024-01-24 19:15:51 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.4.1 > 4.5.0) 2024-01-24 19:15:51 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Synapse 738949be-6fd2-46b9-b969-99b53712b192 Configure Synapse Workspaces to use only Microsoft Entra identities for authentication Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2024-01-24 19:15:51 BuiltIn
Key Vault d3e82b87-6673-410b-8501-1896b688b9a3 [Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Security Center - Granular Pricing 9e4879d9-c2a0-4e40-8017-1a5a5327c843 Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
ElasticSan 6a92fe1f-0b86-44ae-843d-2db3d2b571ae ElasticSan should disable public network access Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
ElasticSan 1abc5157-29f8-4dbd-b28e-ff99526cb8b7 ElasticSan Volume Group should use private endpoints Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 1b8c0040-b224-4ea1-be6a-47254dd5a207 Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify
count: 001
Contributor
change
Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists
count: 001
Contributor
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify
count: 001
Contributor
change
Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-01-22 17:47:54 BuiltIn
Security Center 2a6ae02f-7590-40d7-88ba-b18e205a32fd Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-22 17:47:54 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-deprecated > 1.2.0-deprecated) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Backup c58e083e-7982-4e24-afdc-be14d312389e [Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 080fedce-9d4a-4d07-abf0-9f036afbc9c8 Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing f6ff485a-7630-4730-854d-cd3ad855435e Configure Azure Defender for Servers to be disabled for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
VirtualEnclaves ead33d15-8ff9-44d8-be85-24144ecc859e Do not allow creation of resource types outside of the allowlist This policy prevents deployment of resource types outside of the explicitly allowed types, in order to maintain security in a virtual enclave. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-12 18:35:06 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (1.0.3 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.1 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (2.1.0 > 2.1.1) 2024-01-12 18:35:06 BuiltIn
Monitoring 752154a7-1e0f-45c6-a880-ac75a7e4f648 Public IP addresses should have resource logs enabled for Azure DDoS Protection Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (2.0.1 > 2.0.2) 2024-01-12 18:35:06 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2024-01-12 18:35:06 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
VirtualEnclaves 337ef0ec-0703-499e-a57c-b4155034e606 Do not allow creation of specified resource types or types under specific providers The resource providers and types specified via parameter list are not allowed to be created without explicit approval from the security team. If an exemption is granted to the policy assignment, the resource can be leveraged within the enclave. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-12 18:35:06 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center bdc59948-5574-49b3-bb91-76b7c986428d [Deprecated]: Azure Defender for DNS should be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-01-12 18:35:06 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated) 2024-01-12 18:35:06 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Backup 31b8092a-36b8-434b-9af7-5ec844364148 [Preview]: Soft delete must be enabled for Recovery Services Vaults. This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-12 18:35:06 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.2 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.2.0 > 2.3.0) 2024-01-12 18:35:06 BuiltIn
Network 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.2 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
VirtualEnclaves f3a7bbfd-a810-47a6-b5ba-8e17d8cffb96 Network interfaces should be connected to an approved subnet of the approved virtual network This policy blocks network interfaces from connecting to a virtual network or subnet that is not approved. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-12 18:35:06 BuiltIn
Security Center c6283572-73bb-4deb-bf2c-7a2b8f7462cb SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-01-12 18:35:06 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Network 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. Default
Modify
Allowed
Modify, Audit, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.1 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (3.0.0 > 3.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.1.2 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Guest Configuration ec2c1bce-5ad3-4b07-bb4f-e041410cd8db [Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-01-05 19:11:18 BuiltIn
Backup 8f09fda1-91a2-4e14-96a2-67c6281158f7 [Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. Recovery Services vaults can be created with any one of three storage redundancy options today, namely, Locally-redundant Storage, Zone-redundant storage and Geo-redundant storage. If the policies in your organization requires you to block the creation of vaults that belong to a certain redundancy type, you may achieve the same using this Azure policy. Default
Deny
Allowed
Deny, Disabled
add
new Policy 2023-12-19 19:28:10 BuiltIn
Security Center 2a6ae02f-7590-40d7-88ba-b18e205a32fd Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-12-14 19:23:04 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (9.1.0 > 9.1.1) 2023-12-14 19:23:04 BuiltIn
ElasticSan 7698f4ed-80ce-4e13-b408-ee135fa400a5 ElasticSan Volume Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-12-14 19:23:04 BuiltIn
Machine Learning 19539b54-c61e-4196-9a38-67598701be90 [Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry Only deploy Registry Models in the allowed Registry and that are not restricted. Fixed
[parameters('effect')]
add
new Policy 2023-12-08 20:47:07 BuiltIn
App Service 153ab4ca-2d58-4b5d-9134-6d8c6bdd321c Function app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 075896de-f4f8-465b-b6d8-9e73725bb62d [Preview]: Service Fabric Clusters should be Zone Redundant Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Network 27f7fb01-5fdb-44ad-954c-d582f8659533 Bot Protection should be enabled for Azure Front Door WAF This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d [Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
Resilience f16a3ca9-b57a-4392-b660-4c1f8442aa8d [Preview]: SQL Elastic database pools should be Zone Redundant SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
App Service ab6a902f-9493-453b-928d-62c30b11b5a6 Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
Guest Configuration 14b4e776-9fab-44b0-b53f-38d2458ea8be [Preview]: Extended Security Updates should be installed on Windows Server 2012 Arc machines. Windows Server 2012 Arc machines should have installed all the Extended Security Updates released by Microsoft. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Network ff1f1879-a60d-4f23-9641-41e7391ec19a Azure Application Gateway should be deployed with Azure WAF Requires Azure Application Gateway resources to be deployed with Azure WAF. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
App Service 5b0bd968-5cb5-4513-8987-27786c6f0df8 App Service app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
API Management 1dc2fc00-2245-4143-99f4-874c937f13ef Azure API Management platform version should be stv2 Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Network ebea0d86-7fbd-42e3-8a46-27e7568c2525 Bot Protection should be enabled for Azure Application Gateway WAF This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
App Service cf9ca02d-383e-4506-a421-258cc1a5300d [Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
Resilience 2dba5c7e-12a4-4be8-b208-f59bc49e88c2 [Preview]: Public IP Prefixes should be Zone Resilient Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 682e4ab9-59fe-4871-9839-265b54c568c4 [Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
App Service 19dd1db6-f442-49cf-a838-b0786b4401ef App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 0fc92280-604b-4f23-9e04-5ef98d1a28df [Preview]: SQL Managed Instances should be Zone Redundant SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience ae243d87-5cf3-4dce-90bd-6d62be328de9 [Preview]: Event Hubs should be Zone Redundant Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience bdd8bbb2-1efd-48dc-a0fd-8ddcba2e96cd [Preview]: Azure Managed Grafana should be Zone Redundant Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
Tags 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
Major (1.0.1 > 2.0.0) 2023-12-08 20:47:07 BuiltIn
Resilience 2dec5f47-bc40-40d1-8c7d-a39d9d6808d1 [Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 344ea7ca-2ba8-4d68-859b-317239714b2c [Preview]: Managed Disks should be Zone Resilient Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 6221cac0-bb8d-40f4-9535-5d03f713f054 [Preview]: SQL Databases should be Zone Redundant SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 22888755-d824-4e43-8e0b-42d481836554 [Preview]: App Service Plans should be Zone Redundant App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
165a4137-c3ed-4fd0-a17f-1c8a80266580 n/a n/a
remove
165a4137-c3ed-4fd0-a17f-1c8a80266580 2023-12-08 20:47:07 (i) BuiltIn
Resilience da8a2248-6b4a-44a7-96bf-bf1c0dd208c3 [Preview]: Virtual network gateways should be Zone Redundant Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-12-08 20:47:07 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-12-04 18:38:36 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated) 2023-12-04 18:38:36 BuiltIn
Service Bus 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e Configure Azure Service Bus namespaces to disable local authentication Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Modify
Allowed
Modify, Disabled
count: 001
Azure Service Bus Data Owner
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 67dcad1a-ec60-45df-8fd0-14c9d29eeaa2 Azure Event Grid namespaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2023-11-17 19:29:28 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.0.1-preview > 1.0.2) 2023-11-17 19:29:28 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Event Grid cddcbb7e-a7b1-4380-b4d8-45cf77b0d561 Configure Azure Event Grid namespace MQTT broker with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
EventGrid Contributor
Network Contributor
add
new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Modify
Allowed
Modify, Disabled
count: 001
Azure Event Hubs Data Owner
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Guest Configuration ec2c1bce-5ad3-4b07-bb4f-e041410cd8db [Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Event Grid cd8f7644-6fe8-4516-bded-0e465ead03ac Azure Event Grid namespace MQTT broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 1301a000-bc6b-4d90-8414-7091e3abdc40 Azure Event Grid namespace topic broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Service Bus cfb11c26-f069-4c14-8e36-56c394dae5af Azure Service Bus namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2023-11-17 19:29:28 BuiltIn
Azure Arc 4c660f31-eafb-408d-a2b3-6ed2260bd26c [Preview]: Deny Extended Security Updates (ESUs) license creation or modification. This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
Deny
Allowed
Deny, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Event Grid 2b21ce34-9c45-4037-9c84-0ac0dbd0095f Configure Azure Event Grid namespaces with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
EventGrid Contributor
Network Contributor
add
new Policy 2023-11-17 19:29:28 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.1.0 > 1.1.1) 2023-11-17 19:29:28 BuiltIn
Azure Arc 4864134f-d306-4ff5-94d8-ea4553b18c97 [Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Guest Configuration Resource Contributor
Hybrid Server Resource Administrator
add
new Policy 2023-11-17 19:29:28 BuiltIn
Kubernetes ca8d5704-aa2b-40cf-b110-dc19052825ad Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-14 18:14:48 BuiltIn
General e624c84f-2923-4437-9fd9-4115c6da3888 Configure subscriptions to set up preview features This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-11-14 18:14:48 BuiltIn
SQL Server f692cc79-76fb-4c61-8861-467e454ac6f8 Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Extension for SQL Server Deployment
Reader
add
new Policy 2023-11-14 18:14:48 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated) 2023-11-14 18:14:48 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.3 > 1.0.4) 2023-11-08 19:40:08 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-11-08 19:40:08 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.2-preview > 1.0.3) 2023-11-06 19:40:47 BuiltIn
Resilience 408934a8-941a-4c1e-ba88-dd035d9688f4 [Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 1bf67da8-b100-45bf-b89d-e4669fc54411 [Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5 [Preview]: Azure Data Explorer Clusters should be Zone Redundant Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc [Preview]: Service Bus should be Zone Redundant Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 85b005b2-95fc-4953-b9cb-f9ee6427c754 [Preview]: Storage Accounts should be Zone Redundant Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Kubernetes a3dc4946-dba6-43e6-950d-f96532848c9f Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Kubernetes 5c345cdf-2049-47e0-b8fe-b0e96bc2df35 Azure Kubernetes Service Clusters should enable cluster auto-upgrade AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 9d2b0a20-57d6-474c-9d12-44a4a20999c6 [Preview]: Container Registry should be Zone Redundant Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-11-06 19:40:47 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.0 > 1.0.1) 2023-10-31 19:02:40 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Resilience d3903bdf-ab85-4cce-85d3-2934d77629d4 [Preview]: Virtual Machine Scale Sets should be Zone Resilient Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (2.0.3 > 2.0.4) 2023-10-31 19:02:40 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-10-31 19:02:40 BuiltIn
SQL Server 7148a409-0d59-4baa-925b-b3aae486a14e [Preview]: Enable system-assigned identity to SQL VM Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-10-31 19:02:40 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Resilience 44c5a1f9-7ef6-4c38-880c-273e8f7a3c24 [Preview]: Cosmos Database Accounts should be Zone Redundant Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (4.0.0 > 4.0.1) 2023-10-31 19:02:40 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Resilience 42f4f3a2-7d20-4c13-a05d-01857a626c22 [Preview]: Virtual Machines should be Zone Aligned Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.0 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2023-10-23 17:41:36 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (2.0.1 > 2.0.3) 2023-10-23 17:41:36 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview) 2023-10-23 17:41:36 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
new Policy 2023-10-23 17:41:36 BuiltIn
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Internet of Things 43c323f6-0329-4f7c-a19a-6e5a5690d042 Azure Device Update accounts should use customer-managed key to encrypt data at rest Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-16 18:01:34 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (4.1.0 > 4.1.1) 2023-10-16 18:01:34 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-10-16 18:01:34 BuiltIn
Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-10-16 18:01:34 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.2 > 1.0.3) 2023-10-09 18:04:57 BuiltIn
Network Audit-PrivateLinkDnsZones Audit the creation of Private Link Private DNS Zones This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-10-05 18:01:59 ALZ
SQL Deploy-MySQL-sslEnforcement Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Container Registry 84497762-32b6-4ab3-80b6-732ea48b85a2 Container registries should prevent cache rule creation Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-09-27 17:59:47 BuiltIn
SQL Deploy-PostgreSQL-sslEnforcement Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Monitoring DenyAction-ActivityLogs DenyAction implementation on Activity Logs This is a DenyAction implementation policy on Activity Logs. Fixed
denyAction
add
new Policy 2023-09-27 17:59:47 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Storage Account Contributor
change
Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-SqlMi-minTLS SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Managed Instance Contributor
change
Minor (1.0.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
Monitoring Deploy-Diagnostics-CosmosDB Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-SQL-minTLS SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Server Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Monitoring DenyAction-DiagnosticLogs DenyAction implementation on Diagnostic Logs. DenyAction implementation on Diagnostic Logs. Fixed
denyAction
add
new Policy 2023-09-27 17:59:47 ALZ
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.3 > 1.0.4) 2023-09-22 17:59:46 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-22 17:59:46 BuiltIn
Kubernetes 04408ca5-aa10-42ce-8536-98955cdddd4c Azure Kubernetes Service Clusters should enable node os auto-upgrade AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-09-22 17:59:46 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.1 > 1.0.2) 2023-09-22 17:59:46 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-22 17:59:46 BuiltIn
Kubernetes af3c26b2-6fad-493e-9236-9c68928516ab Azure Kubernetes Service Clusters should enable Image Cleaner Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-09-18 18:02:04 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-18 18:02:04 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Patch, old suffix: preview (4.4.0-preview > 4.4.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (3.9.0-preview > 3.9.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, old suffix: preview (3.4.0-preview > 3.4.1) 2023-09-18 18:02:04 BuiltIn
Media Services daccf7e4-9808-470c-a848-1c5b582a1afb Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2023-09-18 18:02:04 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Tags 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-11 17:59:12 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-01 18:00:13 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Key Vault a2a5b911-5617-447e-a49e-59dbe0e0434b Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.0.2 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-09-01 18:00:13 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-08-28 18:00:34 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (2.3.0 > 2.4.0) 2023-08-22 17:59:24 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2023-08-22 17:59:24 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center feedbf84-6b99-488c-acc2-71c829aa5ffc SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-22 17:59:24 BuiltIn
Kubernetes cf426bb8-b320-4321-8545-1b784a5df3a4 [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Security Center 640d2586-54d2-465f-877f-9ffc1d2109f4 Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-11 17:58:20 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.1 > 1.0.2) 2023-08-11 17:58:20 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview) 2023-08-03 17:56:09 BuiltIn
Container Instance 41ebf9df-66cb-48e9-a8d0-98afb4e150ce Configure diagnostic settings for container groups to Log Analytics workspace Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-03 17:56:09 BuiltIn
App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
General 335d919a-dc24-4a94-b7cb-9f81b1a8156f Do Not Allow MCPP resources Block creation of MCPP resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Kubernetes 2cc2e023-0dac-4046-875b-178f683929d5 Azure Kubernetes Service Clusters should enable workload identity Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview) 2023-08-03 17:56:09 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-08-03 17:56:09 BuiltIn
General 176b7c36-ac64-4f15-a296-50bd7fafab12 Do Not Allow M365 resources Block creation of M365 resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
General 16fabb5c-7379-4433-8009-042066fa3a16 Exclude Usage Costs Resources This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
Kubernetes e1352e44-d34d-4e4d-a22e-451a15f759a1 Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-08-03 17:56:09 BuiltIn
Cost Optimization Audit-AzureHybridBenefit Audit AHUB for eligible VMs Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-25 17:56:05 ALZ
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview) 2023-07-25 17:56:05 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview) 2023-07-25 17:56:05 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-07-24 17:56:14 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-24 17:56:14 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Security Center 766e621d-ba95-4e43-a6f2-e945db3d7888 Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2023-07-24 17:56:14 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
Compute c3921d55-b741-4d16-8d56-7f16e99e6892 Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2023-07-14 17:56:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Storage c36a325b-ae04-4863-ad4f-19c6678f8e08 Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview) 2023-07-10 18:02:26 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance bb3c7464-033e-41ee-81dc-480fde675b20 TLS protocol 1.2 must be used for Arc SQL managed instances. As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance 6599ab01-29bc-4852-a6f5-de9e2151714a Transparent Data Encryption must be enabled for Arc SQL managed instances. Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.1 > 1.0.2) 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance 413923f0-ff16-41ae-8583-90c5c5d9fa8f Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
Storage 978deb5d-c9a7-41f8-b4b2-b76880d0de1f Modify - Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled Default
Modify
Allowed
Modify, Disabled
count: 001
Storage Account Contributor
add
new Policy 2023-07-10 18:02:26 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-07-07 17:55:09 ALZ
SQL Deploy-Sql-vulnerabilityAssessments_20230706 Deploy SQL Database Vulnerability Assessments Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
add
new Policy

Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments)
2023-07-07 17:55:09 ALZ
SQL Deploy-Sql-vulnerabilityAssessments [Deprecated]: Deploy SQL Database vulnerability Assessments Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
change
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ
2023-07-07 17:55:09 ALZ
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-07-03 17:55:16 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated) 2023-06-26 17:52:13 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.1.0 > 1.2.0) 2023-06-26 17:52:13 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-06-26 17:52:13 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.0.0 > 4.0.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (8.1.0 > 8.1.1) 2023-06-26 17:52:13 BuiltIn
Key Vault d8cf8476-a2ec-4916-896e-992351803c44 Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-06-26 17:52:13 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-06-26 17:52:13 BuiltIn
Storage Deny-FileServices-InsecureSmbChannel File Services with insecure SMB channel encryption should be denied This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Network Deny-UDR-With-Specific-NextHop User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-StorageAccount-CustomDomain Storage Accounts with custom domains assigned should be denied This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-Storage-SFTP Storage Accounts with SFTP enabled should be denied This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureKerberos File Services with insecure Kerberos ticket encryption should be denied This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Network Deny-Subnet-Without-Penp Subnets without Private Endpoint Network Policies enabled should be denied This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Machine Learning Deny-MachineLearning-PublicNetworkAccess [Deprecated] Azure Machine Learning should have disabled public network access Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html Default
Deny
Allowed
Audit, Disabled, Deny
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn
2023-06-20 20:17:42 ALZ
SQL Deny-PublicEndpoint-MariaDB [Deprecated] Public network access should be disabled for MariaDB This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn
2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureAuth File Services with insecure authentication methods should be denied This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureSmbVersions File Services with insecure SMB versions should be denied This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (5.0.0 > 5.1.0) 2023-06-16 17:46:02 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2023-06-09 17:46:13 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Security Center ae89ebca-1c92-4898-ac2c-9f63decb045c Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-06-09 17:46:13 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Preview]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-06-06 18:29:21 BuiltIn
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-06-06 18:29:21 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2023-06-06 18:29:21 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Preview]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Security Center 13a6c84f-49a5-410a-b5df-5b880c3fe009 [Preview]: Linux virtual machines should use only signed and trusted boot components All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-06-06 18:29:21 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Monitoring Deploy-Diagnostics-Firewall Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-05-30 30:17:42 ALZ
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.3 > 4.0.4) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Modify
Allowed
Modify, Disabled
count: 001
DocumentDB Account Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-05-26 17:43:09 BuiltIn
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Microsoft Defender for Cloud recommendations Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Microsoft Defender for Cloud alerts Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.2.0 > 4.3.0) 2023-05-26 17:43:09 BuiltIn
Security Center 509122b9-ddd9-47ba-a5f1-d0dac20be63c Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-22 22:17:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-05-22 22:17:43 ALZ
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-22 17:43:18 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch (1.0.1 > 1.0.2) 2023-05-22 17:43:18 BuiltIn
Data Factory 3d02a511-74e5-4dab-a5fd-878704d4a61a [Preview]: Azure Data Factory pipelines should only communicate with allowed domains To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Deny
Allowed
Deny, Disabled
add
new Policy 2023-05-22 17:43:18 BuiltIn
App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning 7804b5c7-01dc-4723-969b-ae300cc07ff1 Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center a1181c5f-672a-477a-979a-7d58aa086233 Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
Major (1.0.0 > 2.0.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-05-17 17:17:42 ALZ
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-16 17:42:35 BuiltIn
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2023-05-16 17:42:35 BuiltIn
Azure Data Explorer 8945ba5e-918e-4a57-8117-fe615d12e3ba All Database Admin on Azure Data Explorer should be disabled Disable all database admin role to restrict granting highly privileged/administrative user role. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-16 17:42:35 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-12 17:41:51 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Data Factory Contributor
Network Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-12 17:41:51 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists
count: 001
Guest Configuration Resource Contributor
change
Minor (2.0.0 > 2.1.0) 2023-05-05 17:42:17 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-05 17:42:17 BuiltIn
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 46dad49f-8945-44d7-9bb1-2e1542f627d3 App Service app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center e3576e28-8b17-4677-84c3-db2990658d64 [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.0.0 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 9c014953-ef68-4a98-82af-fd0f6b2306c8 App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center ebb62a0c-3560-49e1-89ed-27e074e9f8ad [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2023-05-01 17:41:52 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 6b1cbf55-e8b6-442f-ba4c-7246b6381474 [Deprecated]: Deprecated accounts should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center f8456c1c-aa66-4dfb-861a-25d127b775c9 [Deprecated]: External accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 [Deprecated]: External accounts with read permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
App Service e1d1b522-02b0-4d18-a04f-5ab62d20445f Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 5c607a2e-c700-4744-8254-d77e7c9eb5e4 [Deprecated]: External accounts with write permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
App Service f466b2a6-823d-470d-8ea5-b031e72d79ae App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center aa633080-8b72-40c4-a2d7-d00c03e80bed [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.1 > 3.2.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 50ea7265-7d8c-429e-9a7d-ca1f410191c3 Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center c9ddb292-b203-4738-aead-18e2716e858f Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 829b40f3-d3db-4fd2-be46-76663d3aeeb2 Function app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview) 2023-05-01 17:41:52 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.2 > 4.0.3) 2023-05-01 17:41:52 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center b99b73e7-074b-4089-9395-b7236f094491 Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-25 25:17:42 ALZ
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Security Center af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-25 17:42:14 BuiltIn
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Minor (4.1.0 > 4.2.0) 2023-04-25 17:42:14 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-04-17 17:42:20 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
Managed Grafana 67529aa1-5285-4b1c-8e6f-5ccd861ac98e Configure Azure Managed Grafana workspaces to disable public network access Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2023-04-17 17:42:20 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-17 17:42:20 BuiltIn
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-04-17 17:42:20 BuiltIn
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn
2023-04-17 17:17:42 ALZ
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ
2023-04-17 17:17:42 ALZ
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (3.1.0 > 3.1.1) 2023-04-11 17:42:55 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 2f080164-9f4d-497e-9db6-416dc9f7b48a Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Managed Identity ae62c456-33de-4dc8-b100-7ce9028a7d99 [Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Tags 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-04-06 17:42:16 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-04-06 17:42:16 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.1.0 > 4.2.0) 2023-04-06 17:42:16 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Managed Identity 2571b7c3-3056-4a61-b00a-9bc5232234f5 [Preview]: Managed Identity Federated Credentials should be from allowed issuer types This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 27960feb-a23c-4577-8d36-ef8b5f35e0be All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-04-06 17:42:16 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Monitoring Deploy-Diagnostics-WVDHostPools Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-Disks-UnusedResourcesCostOptimization Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-ServerFarms-UnusedResourcesCostOptimization Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn
2023-04-06 06:17:42 ALZ
Network Audit-PrivateLinkDnsZones Audit the creation of Private Link Private DNS Zones This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ
2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 06:17:42 ALZ
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-04-06 06:17:42 ALZ
Compute Deploy-Vm-autoShutdown Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine Fixed
deployIfNotExists
count: 001
Virtual Machine Contributor
add
new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-04-06 06:17:42 ALZ
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Key Vault 405c5871-3e91-4644-8a63-58e19d68ff5b Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Modify
Allowed
Modify, Disabled
count: 002
Contributor
DocumentDB Account Contributor
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Network 4598f028-de1f-4694-8751-84dceb5f86b9 Azure Web Application Firewall on Azure Front Door should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
Network ca85ef9a-741d-461d-8b7a-18c2da82c666 Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-03-31 17:44:15 BuiltIn
Network 882e19a6-996f-400e-a30f-c090887254f4 Migrate WAF from WAF Config to WAF Policy on Application Gateway If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify
count: 001
Contributor
add
new Policy 2023-03-31 17:44:15 BuiltIn
Network e52e8487-4a97-48ac-b3e6-1c3cef45d298 Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
API Management Service Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.3 > 1.0.4) 2023-03-31 17:44:15 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2023-03-31 17:44:15 BuiltIn
Monitoring cd906338-3453-47ba-9334-2d654bf845af Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Minor (3.3.0 > 3.4.0) 2023-03-31 17:44:15 BuiltIn
API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2023-03-31 17:44:15 BuiltIn
Storage 361c2074-3595-4e5d-8cab-4f21dffc835c Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (2.0.1 > 2.0.2) 2023-03-27 17:43:07 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-03-27 17:43:07 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview) 2023-03-27 17:43:07 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
SignalR 62a3ae95-8169-403e-a2d2-b82141448092 Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 001
SignalR/Web PubSub Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2023-03-17 18:44:06 BuiltIn
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (1.0.1 > 1.0.2) 2023-03-17 18:44:06 BuiltIn
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-03-17 18:44:06 BuiltIn
Container Instances 21c469fa-a887-4363-88a9-60bfd6911a15 Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Default
Append
Allowed
Append, Disabled
add
new Policy 2023-03-17 18:44:06 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-03-17 18:44:06 BuiltIn
Machine Learning 45e05259-1eb5-4f70-9574-baf73e9d219b Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-03-17 18:44:06 BuiltIn
SignalR 21a9766a-82a5-4747-abb5-650b6dbba6d0 Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.1 > 4.0.2) 2023-03-17 18:44:06 BuiltIn
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-10 18:58:56 BuiltIn
Backup 04726aae-4e8d-427c-af7d-ecf56d490022 [Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana dashboards with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
Managed Grafana 4c8537f8-cd1b-49ec-b704-18e82a42fd58 Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Minor (3.2.0 > 3.3.0) 2023-03-03 18:43:58 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) 2023-03-03 18:43:58 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
Kubernetes a8e653d9-b5d4-48a0-afe6-14d881f9ee9a Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Owner
add
new Policy 2023-03-03 18:43:58 BuiltIn
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer a47272e1-1d5d-4b0b-b366-4873f1432fe0 Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Network Contributor
SQL Server Contributor
add
new Policy 2023-02-27 19:03:54 BuiltIn
Managed Grafana e8775d5a-73b7-4977-a39b-833ef0114628 Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 7b32f193-cb28-4e15-9a98-b9556db0bafa Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Default
Modify
Allowed
Modify, Disabled
count: 001
SQL Server Contributor
add
new Policy 2023-02-27 19:03:54 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Automanage fb97d6e1-5c98-4743-a439-23e0977bad9e [Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Kubernetes Extension Contributor
change
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Reader
Virtual Machine Contributor
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 1fec9658-933f-4b3e-bc95-913ed22d012b Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 43bc7be6-5e69-4b0d-a2bb-e815557ca673 Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer f7735886-8927-431f-b201-c953922512b8 Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Monitoring Deploy-Diagnostics-Databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2023-02-23 23:18:45 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.1.0 > 2.0.0) 2023-02-23 23:18:45 ALZ
Desktop Virtualization e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 7b331e6b-6096-4395-a754-758a64505f19 Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization a22065a3-3b04-46ff-b84c-2d30e5c300d0 Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 02aa841c-42e8-492f-a43d-1f2c67e58d41 Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization ce6ebf1d-0b94-4df9-9257-d8cacc238b4f Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Workspace Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 2a0913ff-51e7-47b8-97bb-ea17127f7c8d Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Deprecated]: Private endpoint should be configured for Key Vault The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) 2023-02-16 18:41:08 BuiltIn
Automanage e4953962-5ae4-43eb-bb92-d66fd5563487 [Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 87ac3038-c07a-4b92-860d-29e270a4f3cd Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 9427df23-0f42-4e1e-bf99-a6133d841c4a Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Automanage fd4726f4-a5fc-4540-912d-67c96fc992d5 [Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 34804460-d88b-4922-a7ca-537165e060ed Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization c25dcf31-878f-4eba-98eb-0818fdc6a334 Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization ca950cd7-02f7-422e-8c23-91ff40f169c1 Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring Deploy-Diagnostics-VNetGW Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.1.0 > 1.1.1) 2023-02-16 16:18:41 ALZ
Monitoring Deploy-Diagnostics-Website Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-02-16 16:18:41 ALZ
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a categor