last sync: 2024-Jul-17 18:20:29 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Change Date (UTC ymd) (i) Type
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.3.0 > 1.4.0) 2024-07-17 18:20:29 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
change
Patch, new suffix: deprecated (3.0.0 > 3.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Azure Ai Services d6759c02-b87f-42b7-892e-71b3f471d782 Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-17 18:20:29 BuiltIn
Search 0fda3595-9f2b-4592-8675-4231d6fa82fe [Deprecated]: Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Disabled
change
Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-15 18:22:44 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-15 18:22:44 BuiltIn
Network da79a7e2-8aa1-45ed-af81-ba050c153564 Azure Firewall Policy should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.0 > 2.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes fe74a23d-79e4-401c-bd0d-fd7a5b35af32 [Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 3e1f521a-d037-4709-bdd6-1f532f271a75 Azure Firewall should be deployed to span multiple Availability Zones For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 7c591a93-c34c-464c-94ac-8f9f9a46e3d6 Azure Firewall Standard - Classic Rules should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes a8e3ce3c-cac3-4402-a28a-03ee3ede9790 [Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 3f84c9b0-8b64-4208-98d4-6ada96bb49c3 Azure Firewall Policy should have DNS Proxy Enabled Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 97de439f-fd35-4d43-a693-3644f51a51fd [Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.3 > 1.0.4) 2024-07-09 18:20:14 BuiltIn
Security Center a3a6ea0c-e018-4933-9ef0-5aaa1501449b [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 8c19196d-7fd7-45b2-a9b4-7288f47c769a Azure Firewall Standard should be upgraded to Premium for next generation protection If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 72923a3a-e567-46d3-b3f9-ffb2462a1c3a Virtual Hubs should be protected with Azure Firewall Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network dfb5ac92-ce74-4dbc-81fa-87243e62d5d3 Azure Firewall Policy Analytics should be Enabled Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 794d77cc-fe65-4801-8514-230c0be387a8 Azure Firewall Classic Rules should be migrated to Firewall Policy Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Security Center a4fe33eb-e377-4efb-ab31-0784311bc499 [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Managed Grafana a08f2347-fe9c-482b-a944-f6a0e05124c0 Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade Disables Grafana Enterprise upgrade in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana 0656cf40-485c-427b-b992-703a4ecf4f88 Azure Managed Grafana workspaces should disable service account Disables API keys and service account for automated workloads in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Managed Grafana b6752a42-6fc3-46cb-8a15-33aa109407b1 Azure Managed Grafana workspaces should disable email settings Disables SMTP settings configuration of email contact point for alerting in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Kubernetes 28257686-e9db-403e-b9e2-a5eecbe03da9 Azure Kubernetes Clusters should disable SSH Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-06-24 18:15:26 BuiltIn
Guest Configuration 2454bbee-dc19-442f-83fc-7f3114cafd91 [Deprecated]: Windows machines should use the default NTP server This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network 711c24bb-7f18-4578-b192-81a6161e1f17 [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network f516dc7a-4543-4d40-aad6-98f76a706b50 [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 4eb5e667-e871-4292-9c5d-8bbb94e0c908 Auditing with PgAudit should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Network 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL ce39a96d-bf09-4b60-8c32-e85d52abea0f A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Guest Configuration b3248a42-b1c1-41a4-87bc-8bad3d845589 Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 78ed47da-513e-41e9-a088-e829b373281d Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2024-06-14 18:20:16 BuiltIn
PostgreSQL a43d5475-c569-45ce-a268-28fa79f4e87a PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Network a58ac66d-92cb-409c-94b8-8e48d7a96596 [Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 12c74c95-0efd-48da-b8d9-2a7d68470c92 PostgreSQL flexble servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.2.0 > 1.3.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network 6484db87-a62d-4327-9f07-80a2cbdf333a [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Guest Configuration d96163de-dbe0-45ac-b803-0e9ca0f5764e Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2024-06-14 18:20:16 BuiltIn
Network 632d3993-e2c0-44ea-a7db-2eca131f356d [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-06-10 18:18:08 BuiltIn
DevOpsInfrastructure 0d6d79a8-8406-4e87-814d-2dcd83b2c355 [Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network. Disallows creating Pool resources if a valid subnet resource is not provided. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-10 18:18:08 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Minor (4.1.0 > 4.2.0) 2024-06-10 18:18:08 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
Security Center Deploy-ASC-SecurityContacts Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Major (1.1.0 > 2.0.0) 2024-06-10 18:18:08 ALZ
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-06-10 18:18:08 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
General DenyAction-DeleteResources Do not allow deletion of specified resource and resource type This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
new Policy 2024-06-06 18:16:12 ALZ
API Management Deny-APIM-TLS API Management services should use TLS version 1.2 Azure API Management service should use TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights [Deprecated]: Deploy User Assigned Managed Identity for VM Insights Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataFactory [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CosmosDB [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CognitiveServices [Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Relay [Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApiForFHIR [Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-SQL-DCR-Association [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACI [Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SignalR [Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Deny-AppGw-Without-Tls Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW [Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSub [Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Firewall [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLMI [Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MlWorkspace [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MySQL [Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Website [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogicAppsISE [Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACR [Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Logic Apps Deploy-LogicApp-TLS Configure Logic apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ServicesEncryption Encryption for storage services should be enforced for Storage Accounts Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesResourceId Resource Access Rules resource IDs should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ContainerDeleteRetentionPolicy Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 [Preview]: Configure SSH Posture Control on Linux machines This policy creates a Guest Configuration assignment to set SSH Posture Control on Linux machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
new Policy 2024-06-03 17:39:43 BuiltIn
Storage Deny-Storage-CopyScope Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NetworkSecurityGroups [Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ExpressRoute [Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DLAnalytics [Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
SQL fa498b91-8a7e-4710-9578-da944c68d1fe [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-06-03 17:39:43 BuiltIn
Cognitive Services Deny-CognitiveServices-NetworkAcls Network ACLs should be restricted for Cognitive Services Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VMSS [Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Deny-AzFw-Without-Policy Azure Firewall should have a default Firewall Policy This policy denies the creation of Azure Firewall without a default Firewall Policy. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NIC [Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MediaService [Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AnalysisService [Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataExplorerCluster [Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CDNEndpoints [Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-FrontDoor [Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Bastion [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LoadBalancer [Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogAnalytics [Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsVirtualNetworkRules Virtual network rules should be restricted for Storage Accounts Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VNetGW [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AA [Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Networking Deploy-Private-DNS-Generic Deploy-Private-DNS-Generic Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated) 2024-06-03 17:39:43 BuiltIn
Network Audit-PrivateLinkDnsZones Audit or Deny the creation of Private Link Private DNS Zones This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WebServerFarm [Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-iotHub [Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
App Service Deny-AppService-without-BYOC App Service certificates must be stored in Key Vault App Service (including Logic apps and Function apps) must use certificates stored in Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApp-Public-Network Logic apps should disable public network access Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-AMA [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VirtualNetwork [Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsBypass Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TimeSeriesInsights [Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Modify-NSG Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). Default
Modify
Allowed
Modify, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TrafficManager [Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-minTLS Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-RedisCache [Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-minTLS [Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Policy (fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9)
2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-RestrictOutboundNetworkAccess Outbound network access should be restricted for Cognitive Services Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Network Deny-Service-Endpoints Deny or Audit service endpoints on subnets This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesTenantId Resource Access Rules Tenants should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-PowerBIEmbedded [Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApps-Without-Https Logic app should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-HDInsight [Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApplicationGateway [Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Modify-UDR Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. Default
Modify
Allowed
Modify, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLElasticPools [Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Function [Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-Premium-CMK Event Hub namespaces (Premium) should use a customer-managed key for encryption Event Hub namespaces (Premium) should use a customer-managed key for encryption. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn
2024-06-03 17:39:43 ALZ
Storage Deny-Storage-LocalUser Local users should be restricted for Storage Accounts Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-CorsRules Storage Accounts should restrict CORS rules Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VM [Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSystemTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-Resource-Kinds Only explicit kinds for Cognitive Services should be allowed Azure Cognitive Services should only create explicit allowed kinds. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn
2024-06-03 17:39:43 ALZ
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (3.10.0 > 3.12.0) 2024-05-27 16:38:31 BuiltIn
PostgreSQL c29c38cb-74a7-4505-9a06-e588ab86620a Enforce SSL connection should be enabled for PostgreSQL flexible servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL dacf07fa-0eea-4486-80bc-b93fae88ac40 Connection throttling should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 086709ac-11b5-478d-a893-9567a16d2ae3 Log connections should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL cee2f9fd-3968-44be-a863-bd62c9884423 Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 1d14b021-1bae-4f93-b36b-69695e14984a Disconnections should be logged for PostgreSQL flexible servers. This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 70be9e12-c935-49ac-9bd8-fd64b85c1f87 Log checkpoints should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-27 16:38:31 BuiltIn
PostgreSQL 5375a5bb-22c6-46d7-8a43-83417cfb4460 Private endpoint should be enabled for PostgreSQL flexible servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2024-05-27 16:38:31 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.4.0-preview > 1.5.0-preview) 2024-05-17 18:03:56 BuiltIn
Cosmos DB 12339a85-a25c-4f17-9f82-4766f13f5c4c Azure Cosmos DB accounts should not allow traffic from all Azure data centers Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.3.0 > 6.4.0) 2024-05-13 17:44:58 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Backup bdff5235-9f40-4a32-893f-38a03d5d607c [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-05-13 17:44:58 BuiltIn
Backup 6e68865f-f3cd-48ec-9bba-54795672eaa4 [Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Backup Contributor
add
new Policy 2024-05-13 17:44:58 BuiltIn
Guest Configuration a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 [Preview]: Audit SSH Posture Control on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if SSH Server is not securely configured on the Linux machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-13 17:44:58 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Backup 7b5a3b1d-d2e1-4c0b-9f3b-ad0b9a2283f4 [Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Backup Contributor
add
new Policy 2024-05-13 17:44:58 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-05-13 17:44:58 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2024-05-13 17:44:58 BuiltIn
Backup 9a021087-bba6-42fd-b535-bba75297566b [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-05-13 17:44:58 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 60ad0a9f-f760-45ff-ab94-4c64d7439f18 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9d3f759-4cda-43cf-8f64-5b01aeb1c21a Enable logging by category group for microsoft.networkcloud/clusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e6421995-539a-4ce3-854b-1c88534396cf Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8e29fe36-d794-4c55-87d6-5a206031dde2 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3534c358-8a1c-4601-b6ff-43d378d65efa Enable logging by category group for microsoft.devices/provisioningservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aa78af66-1659-40aa-90b0-b35b616adbdc Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b80a35d-1e9a-43ac-9e0b-4519ce9f09b4 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 18009236-18d3-48e3-bd21-4e7630153611 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a819f227-229d-44cb-8ad6-25becdb4451f Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 64948b6b-409d-4af2-970f-3b80fea408c1 Enable logging by category group for microsoft.networkcloud/clusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63d1a629-735c-448b-b45f-5e3865e84cf5 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cd0a772a-62ba-4295-8311-d6710ebe967b Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63a8eb0d-f030-4bc6-a1e4-6998f23aa160 Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 590b6105-4715-4e8b-8049-c5a4ae07d8e9 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1840aef8-71df-4a30-a108-efdb4f291a7f Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50d96640-65c9-42de-b79a-95c1890c6ec8 Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 887d1795-3d3d-4859-9ef4-9447392db2ea Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 79494980-ea12-4ca1-8cca-317e942b6da2 Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e4325e3-228b-40f0-83ae-9c03276858c1 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2853b2ac-3ce0-4e51-a1e3-086591e7028a Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be3ddb6b-c328-4ecd-91e8-c2804868ea9c Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1568dd08-cca0-4073-bfd8-e08a7fdc543e Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca05d7f2-6625-4cc3-a65a-4931b45ff139 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 059e6dd0-544a-4c93-abad-b3ad77667339 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a1fa110-16bc-49d0-a045-29a552b67cef Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring bb7bbee6-718c-4a71-a474-9f9f0e2a55e4 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ec48f10-33fc-40d2-aaf2-028c4f7bbd02 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1bf4d43-542a-4410-918d-7e61c8e1ac21 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3234ff41-8bec-40a3-b5cb-109c95f1c8ce Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 96abcdc6-3c5a-4b0f-b031-9a4c1f36c9a6 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d8624de8-47fe-47c0-bea0-2d8329b628fe Enable logging by category group for microsoft.network/vpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d4d93413-9560-4252-a16d-b8c3bbaf5baf Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6ee1c58c-a123-4cd6-8643-48b2f7ffb3e1 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 971199b6-1971-4d3e-85b0-fa7639044679 Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a972fe34-7882-4476-87cf-eb9631785fb5 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6af023b1-4841-4b54-8f3d-69caa4e558cb Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e861bb0-d926-4cdb-b2d6-d59336b8f5b3 Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 234bbd1b-05f6-4639-8770-1cd5278ba2c9 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 30499756-47d6-493c-9e57-ee3db2d9fa96 Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 13bf624e-fe24-40f0-9a7c-066e28a50871 Enable logging by category group for microsoft.devices/provisioningservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 064a3695-3197-4354-816b-65c7b952db9e Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5d487647-6a53-4839-8eb8-edccf5e6bf1d Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring de5d5895-642e-4d19-a14e-08a67b2dd152 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5fbd326d-328c-414e-a922-2d6963998962 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9c79e60b-99f2-49f3-b08c-630d269bddc1 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 887dc342-c6bd-418b-9407-ab0e27deba36 Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7a8afaba-cc24-4306-b83f-d178f1a10ba2 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3ce7ba9e-058f-4ce9-b4d6-22e6c1238904 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 601e350d-405c-41d0-a886-72c283f8fab2 Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f3977509-4420-4dfa-b1c9-2ab38dfd530f Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 068e22bd-8057-466b-9642-7cd2ca476158 Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d3abca82-2ae2-4707-bf5e-cfc765ce9ff1 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5360664a-5821-4f43-8988-3f0ed8f3f8a5 Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 78d285d5-f767-43f8-aa36-4616daaf9d51 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4545446-0cac-4af5-b591-61544b66e802 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 42e5ad1f-57fd-49a7-b0e4-c7a7ae25ba3d Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 37d5d366-8544-498a-9106-00185b29a9e3 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 58cb2d8e-623c-4557-bb4e-0b64cb41ec55 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 824142d3-eccb-4b7c-8403-319610811237 Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a12e0815-0735-48d9-b5b3-8a3b60a85b86 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cf6ff94d-c483-4491-976a-eb784101217a Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20e491a1-11fe-4d11-ab4e-a81edd23672e Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0ebe872d-7029-4292-88bc-ad3e2cf3772f Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd91eae-4429-4f23-b780-8c9622e023e3 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bd0965d6-9544-406a-90b5-dc2d566670b8 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bfc6b185-2af1-4998-a32e-c0144792eeb2 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ebd6e41f-c33e-4e16-9249-cee4c68e6e8c Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9dbcaaa7-0c1b-4861-81c2-d340661b4382 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 944eae3e-6b16-4864-86e1-1b23d58386d5 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a271e156-b295-4537-b01d-09675d9e7851 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6f7fa8b1-4456-4d4c-94c2-1f1651b18235 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dcb324b0-3bfa-4df4-b476-64122bde219e Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a26c842f-bee7-4a1f-9ae1-a973d3a0075a Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9fcae8ed-246a-407b-8f75-f3500ff2c9db Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f0d25196-1ea4-49e1-ad53-ccada27b4862 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbdbb83b-cbfe-49f7-b7d1-1126630a68b7 Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0bb5a1fb-b1ad-45fd-880e-a590f2ec8d1c Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 041e904a-33e5-45fd-b3f6-4ac95f1f8761 Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b55f2e8e-dc76-4262-a0e3-45f02200ff0e Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 852877d5-b61d-4741-b649-85a324bb3fd4 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f62b9eab-b489-4388-9874-b0a62ca31327 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 867c08d5-bc47-404d-9a1b-0aec7a8d34eb Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ec51b91e-e03d-4435-b6e7-dcaffe6ba5c0 Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2308e22a-85e9-431d-8c47-36072dfa64b5 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1598217-5ff1-4978-b51d-f0238e100019 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 499b7900-f44e-40ea-b8d3-2f3cf75f2ca4 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 56ae9f08-b8c9-4a0f-8f58-5dbcd63bef84 Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f48e8ce0-91bd-4d51-8aba-8990d942f999 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d28ea18-8e88-4160-96ff-4b6af4fd94c7 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1859cd03-7f77-495d-a0ce-336a36a6830d Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 10e8c93c-658d-47e8-aa6f-ed60f329c060 Enable logging by category group for microsoft.documentdb/mongoclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e97f20f4-8bf0-4a35-a319-38f4144228f5 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cc789f91-3e63-4cfb-86f4-87565055f269 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 40ce1496-89c2-40cf-80e5-3c4687d2ee4b Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20017523-2fd1-49a8-a766-79cbc572b827 Enable logging by category group for microsoft.timeseriesinsights/environments to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1cd30d13-d34c-4cb8-8f9d-4692f7d40d97 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8ea88471-98e1-47e4-9f63-838c990ba2f4 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f9431f54-4c78-47ef-aac9-2b37cbaeae75 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b79bf56e-c296-4829-afea-6ac9263e7687 Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4f925033-4d52-4619-909c-9c47a687dc51 Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a9725bd4-a2ad-479f-a29b-5e163cada399 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 81039988-1f84-4aa6-8039-0a64c2a301b4 Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f48c1843-fc88-47c1-9b01-4527c76c890a Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3372b9c2-d179-4190-9f0c-e6f6304d0e93 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 167dbbbc-a03a-4ebe-8e46-c34cc67f7d9d Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 84d8a69f-788a-4025-ba96-f36406cc9ee5 Enable logging by category group for microsoft.machinelearningservices/registries to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 144aa510-91a0-4de9-9800-43a7ef5e947f Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 95f9d29c-defd-4387-b73b-5cdb4a982bf0 Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring dfe69c56-9c12-4271-9e62-7607ab669582 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 621d8969-4918-45e7-954b-2fb0b42e7059 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 339855ce-39c1-4a70-adc9-103ea7aac99f Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b15247e4-f83b-48b2-b34e-8ea6148a0f34 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a6d488fc-3520-4ec8-9cf6-c5e78d677651 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a78631da-8506-4113-96f4-2805de193083 Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring b6f29e6b-4b21-4bb6-a997-38592fa02864 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 47f4c5ae-1b43-4620-bcbd-65e2ee6fb7c8 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d42b501-dd03-449d-a070-32d1db2e546b Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c67a1c0-8e77-4f4b-b572-5c11695aae2d Enable logging by category group for microsoft.d365customerinsights/instances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bd0079c6-6f2d-42f4-9cee-e23930968f10 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4ce6d386-fc8e-4ac4-9bff-e5859625cea4 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 65a1573e-cc90-412b-8db2-ba60731b0ea6 Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2cb215be-a09b-4623-ac2f-dfc5012b1a5b Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 08240c20-e48f-47d9-9305-2a8c4da75a3e Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 99b76532-523c-44da-8d28-3af059fd7fbb Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a05c2daf-be1f-4d2c-8a12-b3627d477b44 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50bdafe5-c7b6-4812-af5f-75dc00561aed Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2fbd2ca9-e7b2-47a0-a8b2-575f3f7607d4 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5e23caa9-3cea-4f5b-a181-ba6a3bdb91ef Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5e6697bc-9d6d-4de9-95f9-898f130372df Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82b076b9-2062-4516-ae4c-37b1890eabb2 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 22c8a30b-c5c1-4434-b837-2772543d3c3c Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5d7409c0-fb8e-4052-9969-ef09f12fd166 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a2361fd4-721d-4be2-9910-53be250b99ad Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f018b68f-d953-4238-81a3-94a0f39507e3 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd3a451-9f38-43e5-aed3-bede117c3055 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2db34cad-25ef-48e3-a787-c2cd36434cd7 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9b6f89db-876b-4156-9f9b-f29dcf302ad2 Enable logging by category group for microsoft.azuresphere/catalogs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8def4bdd-4362-4ed6-a26f-7bf8f2c58839 Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7646801f-46d5-48d0-9e18-efb884944f3e Enable logging by category group for microsoft.customproviders/resourceproviders to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 34705075-71e2-480c-a9cb-6e9387f47f0f Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a1a5f3c5-d01a-459c-8398-a3c9a79ad879 Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 83089e56-9675-4bc8-ae7d-ca4547dc764b Enable logging by category group for microsoft.network/networksecurityperimeters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5164fdc7-cfcd-4bd8-a3e9-f4be93166cde Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 11638078-a29c-4cf3-ad7f-775f78327425 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca09affa-60d6-4cef-9037-b7372e1ac44f Enable logging by category group for microsoft.network/vpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring acbb9698-46bd-4800-89da-e3473c4ab10d Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e260a121-c160-4da3-8a0f-e2c0ff6c561e Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 819c6fd1-432a-4516-a9cb-0c4462af610f Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 322b6192-a99b-4ab6-9b40-43ca19dcd0d9 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring be26ca28-761d-4538-b78a-975eb47c680c Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8181847d-3422-4030-b815-481934740b63 Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a5385dba-3caf-43da-8804-c68174d315a7 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc2bb2e1-739a-4a03-86a2-16ad55e90bd9 Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 140ad507-70f0-43cb-a7cb-a8964341aefa Enable logging by category group for Application Insights (microsoft.insights/components) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3227dfd8-3536-4336-94c9-78633be6baa2 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9e99d63-621a-4a33-8799-0fb53e43f162 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3d7d0cc7-bd72-4f41-bf55-0be57faa3883 Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ca36b5c-2f29-41a0-9b1d-80e2cdf2d947 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 305408ed-dd5a-43b9-80c1-9eea87a176bb Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e74570cf-1b7d-4bed-b79e-d1fd1117a39a Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14681907-c749-4d60-8eae-1038537fb8a3 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fff3e39-f422-45b0-b497-33a05b996d3e Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 116b1633-30d0-4e9a-a665-8aea3dc906c6 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c13b41e7-a45f-4600-96c0-18f84fb07771 Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring ee64264d-f9e3-4a0e-bbe2-db4319aeaf42 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0b726841-c441-44ed-a2cc-d321e3be3ed7 Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring db20d5eb-782b-4c4d-b668-06816ec72c58 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b14e31e2-22d0-48bb-907e-cfb3487e2120 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bdef6e51-210f-4dc3-87b4-eef30f2e6a17 Enable logging by category group for microsoft.community/communitytrainings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 29565b0a-e1b5-49c1-94bf-b8b258656460 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4891dace-710e-40bd-b81f-6a0b9871b50b Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6308bf75-8340-4bab-b2ec-2f5000697af4 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 33835ef6-bc67-4bde-bf5f-5a857f195a57 Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 480ee186-7504-48ac-b64e-af38673aa2c6 Enable logging by category group for Search services (microsoft.search/searchservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1d98c506-1460-4424-9006-84210fa5214a Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7860f3fe-0db3-42d4-bf3d-7042ea5e5787 Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5edd2580-3272-4509-b121-57054b4c70c4 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ccdd9d7c-2bb6-465b-8ea1-5584b4af072e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b678d84d-9723-4df0-a131-82c730231f1e Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2eb903dd-4881-4284-a31d-4bae3f053946 Enable logging by category group for microsoft.community/communitytrainings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring baa4c6de-b7cf-4b12-b436-6e40ef44c8cb Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2137dd9f-94ac-413f-93a8-d068966308c9 Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2f4d1c08-3695-41a7-a0a0-8db4a0e25233 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9cbc4c60-0db8-483c-999b-0f017a01a56b Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 751f9297-5aae-4313-af2d-2a89226a7856 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0dac4c0b-0ca4-4c6e-9a09-61917873b3b0 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring aade2723-e7f6-46fd-b1dc-e6c2c7f7edc4 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d16cdb9f-e2a8-4002-88f6-9eeaea1766f7 Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring da9b245a-05a9-4c2a-acb3-5afe62658776 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69e0da8f-ca50-479d-b1a8-33a31426c512 Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 20a921eb-1c4b-4bb7-a78f-6653ad293dba Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring efa9bf93-28f9-4f05-8e8c-31b8875e9713 Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 557c828f-aa51-40d9-868a-cff8d3982818 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2f6556cb-a2da-4130-a0dd-e5d05dccf9bb Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60579569-3633-42cb-ae6a-195080bf310d Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 005380e0-1f5b-467a-8ae8-8519938627f9 Enable logging by category group for microsoft.networkcloud/storageappliances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9c8d1de-593f-472f-b32a-7e2fe0c2374a Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f231d9f4-9110-40eb-979e-e4eac6602be2 Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 315c965f-c0d7-4397-86d3-c05a0981437a Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 17f18067-406f-49b2-84ce-d1eb66c3fc75 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 271ccc7b-8334-48c5-b90b-edf37dfb2d00 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 605dd1c9-db6f-496f-ba7f-841ea3e246e0 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d7d59290-3ee5-4c1b-b408-c38b21799aea Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d98f63ed-e319-4dc3-898f-600953a05f7e Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 40f0d036-d73d-45a9-8c3d-f3f84d227193 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring eb2fea88-fa7b-4531-a4c1-428c618fbcc8 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4d46b9c1-0a86-41bf-aaf2-74d0ebf8ce66 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 02f64cac-bab0-4950-bb95-51f2d3970efa Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 116caf13-2666-4a2e-afca-9a5f1e671b11 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a474a6be-35da-4c8a-ae97-f97d03bbd213 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a83fcddb-39d0-4c21-af38-76d2c935c3ca Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e2526c67-0363-4da9-96f8-a95d746cf60b Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3d9b8097-326d-4675-8cff-cce4580c9208 Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e40b8f6f-0ecf-4c3b-b095-ba3562256e48 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14ed86b4-ea45-4b1b-98a5-eb8f5f7da726 Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 889bfebf-7428-426e-a86f-79e2a7de2f71 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2453e322-a7e5-4905-ba1e-ac6ea60ff808 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93319447-e347-406b-953f-618c3b599554 Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fcf2d91-8951-43be-9505-ab43dee2f580 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 28e2d787-b5f4-43cf-8cb7-11b54773d379 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7e87b2cc-1e49-4e07-a651-a2f38d4667ad Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1aa5a06a-0cee-4598-8200-94755d500381 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbf47f27-95e4-46a0-82e1-898ce046d857 Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d8a9593e-791e-4fd7-9b22-a75b76e5de17 Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c9cd884-3e45-4588-ac9d-00d44be2cbcd Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 54c7cff6-a032-43e1-9656-d4c24665f805 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 68ba9fc9-71b9-4e6f-9cf5-ecc07722324c Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0983eb33-77d7-47e5-9fa7-879f8cea012e Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e6acdfc4-25e3-4b36-9b0c-5c5743edd1b7 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 23673f24-2594-43e9-9983-60a0be21bd76 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0ba93a1b-ac4d-4e7b-976a-548a18be1e52 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5798b390-1b02-47b7-88fb-90adf07e8d1b Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8af74447-9495-4245-8e49-f74723dcd231 Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9529ceaf-8c7e-4149-bcb6-f38f63c5e4bd Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed251afd-72b1-4e41-b6c9-6614420f1207 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5b67d7f3-488f-42df-ab16-e38a913fcdba Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 257954d9-4adf-410b-9751-3bb22fe9c180 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 041fdf14-0dd4-4ce0-83ff-de5456be0c85 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9df7e623-1f7c-47fa-9db6-777c9a3f2636 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0120ef84-66e7-4faf-aad8-14c36389697e Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring fea83f6c-a18a-4338-8f1f-80ecba4c5643 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 958060c2-8d8e-478e-b3ec-d3d2249b461c Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring adeec880-527c-4def-a2bf-3053be70eef8 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 99b3bfad-aef0-476d-ae98-40861f8eae22 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a511ca63-0a10-46e3-960b-bb6431e9e1a3 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0e693f-1b54-41d1-880e-199c3caed23f Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 68d95589-2f07-42e3-ae6d-80a2ae3edbc4 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3c25d50c-bd5a-4f98-a0de-2495e000cfa7 Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ffe49e3d-50dd-4137-8fe5-6877c4384b69 Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a6dd4d00-283d-4765-b3d1-44ace2ccacda Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c1c0dd3c-6354-4265-a88b-801f84649944 Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring c5ecf495-6caa-445c-b431-04fda56c555a Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3893777a-aaf0-4b74-b08a-14ca9e5a9608 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 72d254bb-d0ed-42f2-9160-6b11b65b599c Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8963c37c-1113-4f1b-ae2e-3a5dd960a7f1 Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7806c8b4-afc9-4a35-b9a9-3707413df35e Enable logging by category group for microsoft.insights/autoscalesettings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1118afbc-c48d-43ae-931a-87b38956d40b Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9dc3e252-1cff-4ae5-bcad-5a92b7167d43 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1c5187ed-9863-4961-bb92-c72bc3883e24 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f7407db8-e40d-4efd-9fff-c61298e01fd5 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 087dbf66-448d-4235-b7b8-17af48edc9db Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 75a112bc-759f-4f29-83cc-799019db39c3 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 39078c44-b8d4-4c7d-8579-7f021d326ebf Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 85779c9a-7fdf-4294-937c-ded183166fa8 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6a664864-e2b5-413e-b930-f11caa132f16 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e9b1fed8-35a2-47d0-b8aa-3834f5032862 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ac27709a-8e3a-4abf-8122-877af1dd9209 Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae0fc3d3-c9ce-43e8-923a-a143db56d81e Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 77c56019-5c71-4d33-9ce3-7a817f2bc7fa Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 73baf464-93bb-450f-bda5-209c16d28dc3 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50ca36f4-5306-4275-ad42-a40ca2805c77 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 92012204-a7e4-4a95-bbe5-90d0d3e12735 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5cfb9e8a-2f13-40bd-a527-c89bc596d299 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a69fd36-760e-4a65-a621-836f1159e304 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 454c7d4b-c141-43f1-8c81-975ebb15a9b5 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 12000b3e-e38b-4bef-9098-38785f06ea32 Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a21ac20a-4dd3-40e9-8036-b3351ecf9319 Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ba00f5fb-98f7-4542-b88a-16c5ce44f26a Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2d8b0f41-9850-4bac-b63b-96a882a0e683 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8464ded4-af15-4319-950f-a30400d35247 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch (1.0.0 > 1.0.1) 2024-04-29 17:47:10 BuiltIn
Monitoring e25bcb29-0412-42c3-a526-1ff794310a1e Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2e3285f9-ae82-4f69-b83f-5b6f1ee69f3a Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 415eaa04-e9db-476a-ba43-092d70ebe1e7 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60af09fa-d167-44da-9bfc-21a49546a7b5 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2cc39a57-5106-4d41-b872-55c2b9d7b729 Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9756f174-ca74-4d7a-a56e-7104d8a954b0 Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c29fe1b2-c0b0-4d92-a988-84b484801707 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f55ffc18-72c5-479c-a998-dc6806a6fa89 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a08af17e-c2a3-478e-a819-94839ef02b32 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 434b25a4-5396-41ec-97aa-1f4ae3bf269d Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e0f5ec01-8979-49bf-9fd7-2a4eff9fa8e0 Enable logging by category group for microsoft.network/vpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fdc6116-c747-449c-b9cc-330fcd4c5c9c Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6248cb7c-e485-42ad-ba20-b1ee8fba7674 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aaa4560d-9580-4804-a5e5-b9ffb469d49e Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e76ef589-c7d6-42cf-a61a-13471f6f50cd Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76e7a3b8-3822-4ca2-92d8-c20616fd870b Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 145ff119-bfcf-443a-834c-b59859ec3ee7 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5fcf46f9-194c-47ff-8889-380f57ae4617 Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 668e9597-4ccc-452f-80be-e9dd5b2ab897 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 90425e88-1eab-420c-964e-fc1dc79833a6 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring abb62520-ee66-4bdb-96d3-49ad98c66131 Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a7c668bd-3327-474f-8fb5-8146e3e40e40 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0509e2d8-d657-4563-a7c8-b88b9180a6e8 Enable logging by category group for microsoft.community/communitytrainings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0b6b8abb-7761-4e02-ae0e-2c873b5152ca Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69d4fcec-8426-426a-ad48-439fd3b14e9e Enable logging by category group for microsoft.dbforpostgresql/servers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1888f765-327a-4a8d-9816-968b34ea8b78 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5305ea79-c247-456a-bdbd-dc35cef62ce1 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82333640-495e-4249-92bb-2a5e2d07b964 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dc1b5908-da05-4eed-a988-c5e32fdb682d Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0eb11858-8d9f-4525-b9ab-cc5eab07d27a Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e92686fd-65f0-420f-a52b-7da14f3cef90 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 35806bc0-0260-4642-bae7-0ed677b3da44 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring c600af08-49ff-4f7a-b5c9-0686749387b7 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ba0ba89c-1137-407f-ae7a-19152ea7ae82 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63f9b4b2-de99-4b16-ad94-1a5464ac4f7d Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d111f33e-5cb3-414e-aec4-427e7d1080c9 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e99ab54f-260e-4925-a70f-8fe0a92443ef Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fa570aa1-acca-4eea-8e5a-233cf2c5e4c2 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 58e22268-dacf-4b7f-b445-338a7e56d23c Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 84509667-1a94-4255-9e5f-b479075c1069 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b70d4e3a-b1d5-4432-b058-7ea0a4c02a4e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Communication bcff6755-335b-484d-b435-d1161db39cdc Communication service resource should use a managed identity Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.2.0 > 1.3.0) 2024-04-22 16:32:55 BuiltIn
Communication 93c45b74-42a1-4967-b25d-82c4dc630921 Communication service resource should use allow listed data location Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2024-04-22 16:32:55 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services 55eff01b-f2bd-4c32-9203-db285f709d30 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.4.0 > 4.5.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2024-04-12 17:45:57 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Security Center 3d5ed4c2-5e50-4c76-932b-8982691b68ae Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Azure Ai Services d45520cb-31ca-44ba-8da2-fcf914608544 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
Search Service Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2024-04-12 17:45:57 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) 2024-04-08 17:52:20 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Security Center 0b15565f-aa9e-48ba-8619-45960f2c314d Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.1 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-29 18:59:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.2.0 > 6.3.0) 2024-03-29 18:59:24 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.1 > 1.1.2) 2024-03-29 18:59:24 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
DevCenter ece3c79b-2caf-470d-a5f5-66470c4fc649 [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. Disallows the use of Microsoft Hosted Networks when creating Pool resources. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Backup d6588149-9f06-462c-a076-56aece45b5ba [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.1.0 > 6.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (2.0.4 > 2.1.0) 2024-03-15 22:15:34 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-03-15 22:15:34 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Azure Ai Services 1b4d1c4e-934c-4703-944c-27c82c06bebb Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Trusted Launch b03bb370-5249-4ea4-9fce-2552e87e45fa Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Trusted Launch c95b54ad-0614-4633-ab29-104b01235cbf Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (4.0.1 > 4.1.0) 2024-03-11 18:31:50 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.6.0 > 3.7.0) 2024-03-11 18:31:50 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.7.0 > 4.8.0) 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-11 18:31:50 BuiltIn
Cache 766f5de3-c6c0-4327-9f4d-042ab8ae846c Configure Azure Cache for Redis to disable non SSL ports Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Modify
Allowed
Modify, Disabled
count: 001
Redis Cache Contributor
add
new Policy 2024-03-11 18:31:50 BuiltIn
Stack HCI 5e6bf724-0154-49bc-985f-27b2e07e636b [Preview]: Azure Stack HCI servers should meet Secured-core requirements Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Mobile Network 7508b186-60e2-4518-bf70-3d7fbaba1f3a Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network aec63c84-f9ea-46c7-9e66-ba567bae0f09 Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI ee8ca833-1583-4d24-837e-96c2af9488a4 [Preview]: Azure Stack HCI systems should have encrypted volumes Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI dad3a6b9-4451-492f-a95c-69efc6f3fada [Preview]: Azure Stack HCI servers should have consistently enforced application control policies At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (1.1.0 > 1.2.0) 2024-03-01 17:50:27 BuiltIn
Stack HCI 36f0d6bc-a253-4df8-b25b-c3a5023ff443 [Preview]: Host and VM networking should be protected on Azure Stack HCI systems Protect data on the Azure Stack HCI hosts network and on virtual machine network connections. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Mobile Network 45c4e9bd-ad6b-4634-9566-c2dad2f03cbf SIM Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-01 17:50:27 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.0.0 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
Healthcare APIs 14961b63-a1eb-4378-8725-7e84ca8db0e6 DICOM Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.0.1 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Minor (4.0.4 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Healthcare APIs c42dee8c-0202-4a12-bd8e-3e171cbf64dd FHIR Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 7809fda1-ba27-48c1-9c63-1f5aee46ba89 Storage Accounts should restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 41a72361-06e3-4e80-832a-690bd0708bc1 Configure Storage Accounts to restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Modify
Allowed
Modify, Disabled
count: 001
Storage Account Contributor
add
new Policy 2024-02-27 19:10:20 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff919 [Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 493c215d-2554-5976-bc81-57d2c04fc8c1 [Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience bf45a74c-ed4f-4300-8afe-d6f0abdfe75b [Preview]: Azure HDInsight should be Zone Aligned Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 493c215d-2553-4976-bc81-57d2c04fc8c1 [Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-02-20 22:44:08 BuiltIn
Resilience 42daa901-5969-47ef-92cb-b75df946195a [Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 90bc8109-d21a-4692-88fc-51419391da3d [Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience ae243d87-5cf3-4dce-90bd-6d62be328de3 [Preview]: Backup and Site Recovery should be Zone Redundant Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.0 > 6.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff91b [Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 493c215c-0553-4976-bc81-57d2c04fc8c1 [Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Patch, new suffix: deprecated (3.4.0 > 3.4.1-deprecated) 2024-02-20 22:44:08 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 4bd1f3c0-9443-49ad-b8bc-7c17a92b5924 [Preview]: Backup Vaults should be Zone Redundant Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.5.0 > 4.7.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.3-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience 682e4ab9-59fe-4871-9839-265b54c568c4 [Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience f58e8c0a-3c79-431a-abf8-cd1b895478e8 [Preview]: Container Instances should be Zone Aligned Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.1.1 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92fb-b75df946195a [Preview]: Container App should be Zone Redundant Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-20 22:44:08 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.5.0 > 3.6.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-02-20 22:44:08 BuiltIn
Monitoring 3aa571d2-2e4f-4e92-8a30-4312860efbe1 Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Backup 4510daf9-5abc-4d7d-a11d-d84416b814f6 [Preview]: Azure Backup should be enabled for Blobs in Storage Accounts Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center da56d295-2889-41ce-a4cd-6f50fb93aa68 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring a4490248-cb97-4504-b7fb-f906afdb7437 Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Backup a25a41a7-a769-4271-841d-7ce0297be0c0 [Preview]: Azure Backup should be enabled for Managed Disks Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring cdd1dbc6-0004-4fcd-afd7-b67550de37ff Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Backup 0b0434ec-2bad-4229-965f-bb7ae5a71257 [Preview]: Azure Backup should be enabled for AKS clusters Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch, old suffix: preview (2.1.0-preview > 2.1.1) 2024-02-13 19:27:15 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Security Center d38668f5-d155-42c7-ab3d-9b57b50f8fbf Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers Audit PostgreSQL flexible servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center 48666c5d-cec1-4043-ab6b-1be05abb24f2 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Monitoring c0d8e23a-47be-4032-961f-8b0ff3957061 Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 45c6bfc7-4520-4d64-a158-730cd92eedbc Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 6bb23bce-54ea-4d3d-b07d-628ce0f2e4e3 Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 6f95136f-6544-4722-a354-25a18ddb18a7 Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Backup fda9cd0b-094c-4cd5-ac2a-5e06e5277c45 [Preview]: Azure Backup Extension should be installed in AKS clusters Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-02-13 19:27:15 BuiltIn
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Security Center f9e2bd2f-47c7-4059-8265-c5292aa62c8a Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Monitoring e9c22e0d-1f03-44da-a9d5-a9754ea53dc4 Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-02-13 19:27:15 BuiltIn
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn
2024-02-05 19:33:54 ALZ
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights [Deprecated]: Deploy User Assigned Managed Identity for VM Insights Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-01-31 19:57:15 ALZ
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-Arc-SQL-DCR-Association [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn
2024-01-31 19:57:15 ALZ
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
Patch (2.1.0 > 2.1.1)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-SQL-AMA [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn
2024-01-31 19:57:15 ALZ
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center 72f8cee7-2937-403d-84a1-a4e3e57f3c21 Configure Microsoft Defender CSPM plan Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn
2024-01-31 19:57:15 ALZ
Security Center 5eb6d64a-4086-4d7a-92da-ec51aed0332d Configure Microsoft Defender for Servers plan New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Security Center efd4031d-b232-4595-babf-ae817348e91b Configure Microsoft Defender for Containers plan New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-01-31 19:57:15 BuiltIn
Monitoring Deploy-Diagnostics-MariaDB [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn
2024-01-31 19:57:15 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn
2024-01-31 19:57:15 ALZ
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
SQL 0c28c3fb-c244-42d5-a9bf-f35f2999577b Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (3.9.1 > 3.10.0) 2024-01-24 19:15:51 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.4.1 > 4.5.0) 2024-01-24 19:15:51 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Synapse 738949be-6fd2-46b9-b969-99b53712b192 Configure Synapse Workspaces to use only Microsoft Entra identities for authentication Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2024-01-24 19:15:51 BuiltIn
Key Vault d3e82b87-6673-410b-8501-1896b688b9a3 [Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Synapse 6ea81a52-5ca7-4575-9669-eaa910b7edf8 Synapse Workspaces should have Microsoft Entra-only authentication enabled Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
SQL b3a22bc9-66de-45fb-98fa-00f5df42f41a Azure SQL Database should have Microsoft Entra-only authentication enabled Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.4.1 > 3.5.0) 2024-01-24 19:15:51 BuiltIn
Backup c7031eab-0fc0-4cd9-acd0-4497bd66d91a [Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
new Policy 2024-01-24 19:15:51 BuiltIn
Security Center 2a6ae02f-7590-40d7-88ba-b18e205a32fd Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 080fedce-9d4a-4d07-abf0-9f036afbc9c8 Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-deprecated > 1.2.0-deprecated) 2024-01-22 17:47:54 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2024-01-22 17:47:54 BuiltIn
Backup c58e083e-7982-4e24-afdc-be14d312389e [Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify
count: 001
Contributor
change
Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
ElasticSan 6a92fe1f-0b86-44ae-843d-2db3d2b571ae ElasticSan should disable public network access Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
ElasticSan 1abc5157-29f8-4dbd-b28e-ff99526cb8b7 ElasticSan Volume Group should use private endpoints Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify
count: 001
Contributor
change
Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing f6ff485a-7630-4730-854d-cd3ad855435e Configure Azure Defender for Servers to be disabled for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
add
new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 1b8c0040-b224-4ea1-be6a-47254dd5a207 Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 9e4879d9-c2a0-4e40-8017-1a5a5327c843 Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists
count: 001
Contributor
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (2.1.0 > 2.1.1) 2024-01-12 18:35:06 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.1 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated) 2024-01-12 18:35:06 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.2 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2024-01-12 18:35:06 BuiltIn
Network 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. Default
Modify
Allowed
Modify, Audit, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Network