| Category | Id | DisplayName | Description | Effect | Roles used | Subject | Change | Date (UTC ymd) (i) | Type |
|---|---|---|---|---|---|---|---|---|---|
| Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-04-22 16:32:55 | BuiltIn | |
| Communication | bcff6755-335b-484d-b435-d1161db39cdc | Communication service resource should use a managed identity | Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-22 16:32:55 | BuiltIn | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) | 2024-04-22 16:32:55 | BuiltIn |
| Communication | 93c45b74-42a1-4967-b25d-82c4dc630921 | Communication service resource should use allow listed data location | Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-22 16:32:55 | BuiltIn | |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) | 2024-04-22 16:32:55 | BuiltIn |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2024-04-22 16:32:55 | BuiltIn |
| Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-04-22 16:32:55 | BuiltIn | |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
| System Policy | 0e7201a7-b325-480a-907d-5f198e95e1d3 | [Deprecated]: The resource name should follow naming conventions in the region. | The policy defines the naming conventions for the specified resource types in the specified regions | Fixed deny |
add |
new Policy | 2024-04-22 16:32:55 | BuiltIn | |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2024-04-22 16:32:55 | BuiltIn |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
| Kubernetes | 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Azure Ai Services | 55eff01b-f2bd-4c32-9203-db285f709d30 | Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Cognitive Services OpenAI Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.4.0 > 4.5.0) | 2024-04-12 17:45:57 | BuiltIn |
| Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-04-12 17:45:57 | BuiltIn |
| Kubernetes | 8e875f96-2c56-40ca-86db-b9f6a0be7347 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.3.0 > 2.4.0) | 2024-04-12 17:45:57 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-04-12 17:45:57 | BuiltIn |
| Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.1.0-preview > 1.1.1) | 2024-04-12 17:45:57 | BuiltIn | |
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.2.0-preview > 1.2.1) | 2024-04-12 17:45:57 | BuiltIn | |
| Security Center | 3d5ed4c2-5e50-4c76-932b-8982691b68ae | Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers | Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
| Kubernetes | d77f191e-2338-45d0-b6d4-4ee1c586a192 | [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-04-12 17:45:57 | BuiltIn |
| Azure Ai Services | d45520cb-31ca-44ba-8da2-fcf914608544 | Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Cognitive Services Contributor •Cognitive Services OpenAI Contributor •Search Service Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
| Kubernetes | e16d171b-bfe5-4d79-a525-19736b396e92 | [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-04-12 17:45:57 | BuiltIn |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
| Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-12 17:45:57 | BuiltIn |
| Monitoring | e20f31d7-6b6d-4644-962a-ae513a85ab0b | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 8e875f96-2c56-40ca-86db-b9f6a0be7347 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | 441af8bf-7c88-4efc-bd24-b7be28d4acce | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
| Monitoring | 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Monitoring | 8656d368-0643-4374-a63f-ae0ed4da1d9a | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Kubernetes | e16d171b-bfe5-4d79-a525-19736b396e92 | [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 021f8078-41a0-40e6-81b6-c6597da9f3ee | [Preview]: Kubernetes cluster container images should not include latest image tag | Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | d77f191e-2338-45d0-b6d4-4ee1c586a192 | [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | 1513498c-3091-461a-b321-e9b433218d28 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2024-04-08 17:52:20 | BuiltIn | |
| Monitoring | 6567d3f3-42d0-4cfb-9606-9741ba60fa07 | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
| Kubernetes | 1a3b9003-eac6-4d39-a184-4a567ace7645 | [Preview]: Kubernetes cluster container images must include the preStop hook | Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
| Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn | |
| Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.1.1 > 1.1.2) | 2024-03-29 18:59:24 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.2.0 > 6.3.0) | 2024-03-29 18:59:24 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-03-29 18:59:24 | BuiltIn |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.3.0 > 2.4.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.1.0 > 6.2.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2024-03-25 19:17:21 | BuiltIn |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2024-03-25 19:17:21 | BuiltIn |
| DevCenter | ece3c79b-2caf-470d-a5f5-66470c4fc649 | [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. | Disallows the use of Microsoft Hosted Networks when creating Pool resources. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-25 19:17:21 | BuiltIn | |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
| Backup | d6588149-9f06-462c-a076-56aece45b5ba | [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. | This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-25 19:17:21 | BuiltIn | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-03-25 19:17:21 | BuiltIn |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| General | 78460a36-508a-49a4-b2b2-2f5ec564f4bb | Do not allow deletion of resource types | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. | Default DenyAction Allowed DenyAction, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| BuiltInPolicyTest | 83a0809a-a4e3-4ef2-8a24-2afc156607af | [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
| BuiltInPolicyTest | f8d398ae-0441-4921-a341-40f3973d4647 | [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn | This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Disabled Allowed Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
| BuiltInPolicyTest | 85793e88-5a58-4555-93fa-4df63c86ae9c | [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. | Only deploy Registry Models in the allowed Registry and that are not restricted. | Default Disabled Allowed Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (2.0.4 > 2.1.0) | 2024-03-15 22:15:34 | BuiltIn |
| Trusted Launch | b03bb370-5249-4ea4-9fce-2552e87e45fa | Disks and OS image should support TrustedLaunch | TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
| Azure Ai Services | 1b4d1c4e-934c-4703-944c-27c82c06bebb | Diagnostic logs in Azure AI services resources should be enabled | Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
| Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2024-03-11 18:31:50 | BuiltIn | |
| Cache | 766f5de3-c6c0-4327-9f4d-042ab8ae846c | Configure Azure Cache for Redis to disable non SSL ports | Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Modify Allowed Modify, Disabled |
count: 001 •Redis Cache Contributor |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (4.0.1 > 4.1.0) | 2024-03-11 18:31:50 | BuiltIn |
| Trusted Launch | c95b54ad-0614-4633-ab29-104b01235cbf | Virtual Machine should have TrustedLaunch enabled | Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.6.0 > 3.7.0) | 2024-03-11 18:31:50 | BuiltIn | |
| Azure Ai Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-03-11 18:31:50 | BuiltIn | |
| Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Minor (2.0.1 > 2.1.0) | 2024-03-11 18:31:50 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.7.0 > 4.8.0) | 2024-03-11 18:31:50 | BuiltIn |
| Stack HCI | ee8ca833-1583-4d24-837e-96c2af9488a4 | [Preview]: Azure Stack HCI systems should have encrypted volumes | Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. | Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Stack HCI | dad3a6b9-4451-492f-a95c-69efc6f3fada | [Preview]: Azure Stack HCI servers should have consistently enforced application control policies | At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. | Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (1.1.0 > 1.2.0) | 2024-03-01 17:50:27 | BuiltIn |
| Stack HCI | 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 | [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
change |
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) | 2024-03-01 17:50:27 | BuiltIn | |
| Stack HCI | aee306e7-80b0-46f3-814c-d3d3083ed034 | [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
change |
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) | 2024-03-01 17:50:27 | BuiltIn | |
| Stack HCI | 36f0d6bc-a253-4df8-b25b-c3a5023ff443 | [Preview]: Host and VM networking should be protected on Azure Stack HCI systems | Protect data on the Azure Stack HCI hosts network and on virtual machine network connections. | Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Mobile Network | 45c4e9bd-ad6b-4634-9566-c2dad2f03cbf | SIM Group should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Mobile Network | 7508b186-60e2-4518-bf70-3d7fbaba1f3a | Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID | Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn |
| Stack HCI | 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad | [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
change |
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) | 2024-03-01 17:50:27 | BuiltIn | |
| Stack HCI | 5e6bf724-0154-49bc-985f-27b2e07e636b | [Preview]: Azure Stack HCI servers should meet Secured-core requirements | Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable. | Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Mobile Network | aec63c84-f9ea-46c7-9e66-ba567bae0f09 | Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type | Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-01 17:50:27 | BuiltIn | |
| Stack HCI | ae95f12a-b6fd-42e0-805c-6b94b86c9830 | [Deprecated]: Azure Stack HCI systems should have encrypted volumes | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
change |
Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) | 2024-03-01 17:50:27 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.0.1 > 4.1.0) | 2024-02-27 19:10:20 | BuiltIn |
| VirtualEnclaves | 41a72361-06e3-4e80-832a-690bd0708bc1 | Configure Storage Accounts to restrict network access through network ACL bypass configuration only. | To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2024-02-27 19:10:20 | BuiltIn |
| BuiltInPolicyTest | f8d398ae-0441-4921-a341-40f3973d4647 | [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn | This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Disabled Allowed Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) | 2024-02-27 19:10:20 | BuiltIn | |
| Backup | 2514263b-bc0d-4b06-ac3e-f262c0979018 | [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2024-02-27 19:10:20 | BuiltIn | |
| BuiltInPolicyTest | fa8af49a-f61d-4f56-9138-46b77d37df43 | [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. | Default Audit Allowed Audit, Disabled |
change |
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) | 2024-02-27 19:10:20 | BuiltIn | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2024-02-27 19:10:20 | BuiltIn |
| BuiltInPolicyTest | 83a0809a-a4e3-4ef2-8a24-2afc156607af | [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels | Default Disabled Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) | 2024-02-27 19:10:20 | BuiltIn | |
| BuiltInPolicyTest | 85793e88-5a58-4555-93fa-4df63c86ae9c | [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. | Only deploy Registry Models in the allowed Registry and that are not restricted. | Default Disabled Allowed Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) | 2024-02-27 19:10:20 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor (4.0.4 > 4.1.0) | 2024-02-27 19:10:20 | BuiltIn |
| System Policy | b86dabb9-b578-4d7b-b842-3b45e95769a1 | Allowed resource deployment regions | This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support. | Fixed deny |
add |
new Policy | 2024-02-27 19:10:20 | BuiltIn | |
| Healthcare APIs | c42dee8c-0202-4a12-bd8e-3e171cbf64dd | FHIR Service should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-02-27 19:10:20 | BuiltIn | |
| VirtualEnclaves | 7809fda1-ba27-48c1-9c63-1f5aee46ba89 | Storage Accounts should restrict network access through network ACL bypass configuration only. | To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-27 19:10:20 | BuiltIn | |
| Backup | d6f6f560-14b7-49a4-9fc8-d2c3a9807868 | [Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2024-02-27 19:10:20 | BuiltIn | |
| Healthcare APIs | 14961b63-a1eb-4378-8725-7e84ca8db0e6 | DICOM Service should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-02-27 19:10:20 | BuiltIn | |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2024-02-27 19:10:20 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2024-02-27 19:10:20 | BuiltIn |
| BuiltInPolicyTest | 98cec160-6f57-4d11-86e2-0a03290a3a8a | [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) | 2024-02-27 19:10:20 | BuiltIn | |
| Resilience | 493c215d-2554-5976-bc81-57d2c04fc8c1 | [Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient | Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 42daa904-5969-47ef-92fb-b75df946195a | [Preview]: Container App should be Zone Redundant | Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.0 > 6.2.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Azure Ai Services | 71ef260a-8f18-47b7-abcb-62d0673d94dc | Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 4bd1f3c0-9443-49ad-b8bc-7c17a92b5924 | [Preview]: Backup Vaults should be Zone Redundant | Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.1.1 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Patch, new suffix: deprecated (3.4.0 > 3.4.1-deprecated) | 2024-02-20 22:44:08 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.1.0 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.3-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | bf45a74c-ed4f-4300-8afe-d6f0abdfe75b | [Preview]: Azure HDInsight should be Zone Aligned | Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.5.0 > 3.6.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 682e4ab9-59fe-4871-9839-265b54c568c4 | [Preview]: Public IP addresses should be Zone Resilient | Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 493c215d-2553-4976-bc81-57d2c04fc8c1 | [Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient | Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 18314dc7-a25d-420c-a069-f094b25ff91b | [Preview]: Firewalls should be Zone Resilient | Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 493c215c-0553-4976-bc81-57d2c04fc8c1 | [Preview]: Application Gateways should be Zone Resilient | Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.5.0 > 4.7.0) | 2024-02-20 22:44:08 | BuiltIn |
| Resilience | ae243d87-5cf3-4dce-90bd-6d62be328de3 | [Preview]: Backup and Site Recovery should be Zone Redundant | Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 | [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.1.0 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn |
| Resilience | 18314dc7-a25d-420c-a069-f094b25ff919 | [Preview]: NAT gateway should be Zone Aligned | NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 42daa904-5969-47ef-92cb-b75df946195a | [Preview]: API Management Service should be Zone Redundant | API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.1.0 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.1.0 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn |
| Resilience | 90bc8109-d21a-4692-88fc-51419391da3d | [Preview]: Azure AI Search Service should be Zone Redundant | Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | 42daa901-5969-47ef-92cb-b75df946195a | [Preview]: Load Balancers should be Zone Resilient | Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.1.0 > 9.2.0) | 2024-02-20 22:44:08 | BuiltIn |
| Azure Ai Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2024-02-20 22:44:08 | BuiltIn | |
| Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) | 2024-02-20 22:44:08 | BuiltIn | |
| Resilience | f58e8c0a-3c79-431a-abf8-cd1b895478e8 | [Preview]: Container Instances should be Zone Aligned | Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-02-20 22:44:08 | BuiltIn | |
| Monitoring | 3aa571d2-2e4f-4e92-8a30-4312860efbe1 | Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2024-02-13 19:27:15 | BuiltIn |
| Backup | 0b0434ec-2bad-4229-965f-bb7ae5a71257 | [Preview]: Azure Backup should be enabled for AKS clusters | Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.1.0-preview > 2.1.1) | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | 45c6bfc7-4520-4d64-a158-730cd92eedbc | Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | 6bb23bce-54ea-4d3d-b07d-628ce0f2e4e3 | Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-02-13 19:27:15 | BuiltIn |
| Network | cd6f7aff-2845-4dab-99f2-6d1754a754b0 | Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2024-02-13 19:27:15 | BuiltIn |
| Network | 3e9965dc-cc13-47ca-8259-a4252fd0cf7b | Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2024-02-13 19:27:15 | BuiltIn |
| Backup | 4510daf9-5abc-4d7d-a11d-d84416b814f6 | [Preview]: Azure Backup should be enabled for Blobs in Storage Accounts | Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | c0d8e23a-47be-4032-961f-8b0ff3957061 | Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | 6f95136f-6544-4722-a354-25a18ddb18a7 | Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Key Vault | 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 | Azure Key Vault should use RBAC permission model | Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-02-13 19:27:15 | BuiltIn | |
| Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2024-02-13 19:27:15 | BuiltIn |
| Security Center | da56d295-2889-41ce-a4cd-6f50fb93aa68 | Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Security Center | d38668f5-d155-42c7-ab3d-9b57b50f8fbf | Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | e9c22e0d-1f03-44da-a9d5-a9754ea53dc4 | Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Security Center | f9e2bd2f-47c7-4059-8265-c5292aa62c8a | Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Backup | fda9cd0b-094c-4cd5-ac2a-5e06e5277c45 | [Preview]: Azure Backup Extension should be installed in AKS clusters | Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2024-02-13 19:27:15 | BuiltIn |
| Backup | a25a41a7-a769-4271-841d-7ce0297be0c0 | [Preview]: Azure Backup should be enabled for Managed Disks | Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-02-13 19:27:15 | BuiltIn |
| ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) | 2024-02-13 19:27:15 | BuiltIn |
| Security Center | 48666c5d-cec1-4043-ab6b-1be05abb24f2 | Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | 244bcb20-b194-41f3-afcc-63aef382b64c | Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.2.0-preview > 2.2.1) | 2024-02-13 19:27:15 | BuiltIn | |
| Monitoring | a4490248-cb97-4504-b7fb-f906afdb7437 | Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Monitoring | cdd1dbc6-0004-4fcd-afd7-b67550de37ff | Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-02-13 19:27:15 | BuiltIn |
| Security Center | Deploy-MDFC-SQL-DefenderSQL-DCR | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2024-02-05 19:33:54 | ALZ |
| Security Center | Deploy-MDFC-SQL-AMA | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Managed Identity | Deploy-UserAssignedManagedIdentity-VMInsights | Deploy User Assigned Managed Identity for VM Insights | Create and assign a User Assigned Managed Identity to Virtual Machines for VM Insights | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Security Center | Deploy-MDFC-Arc-Sql-DefenderSQL-DCR | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Security Center | Deploy-MDFC-SQL-DefenderSQL-DCR | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Security Center | Deploy-MDFC-SQL-DefenderSQL | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Security Center | 5eb6d64a-4086-4d7a-92da-ec51aed0332d | Configure Microsoft Defender for Servers plan | New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-01-31 19:57:15 | BuiltIn |
| Security Center | 17bc14a7-92e1-4551-8b8c-80f36953e166 | Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor (1.0.2 > 1.1.0) | 2024-01-31 19:57:15 | BuiltIn |
| Security Center | 72f8cee7-2937-403d-84a1-a4e3e57f3c21 | Configure Microsoft Defender CSPM plan | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-01-31 19:57:15 | BuiltIn |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor (1.0.2 > 1.1.0) | 2024-01-31 19:57:15 | BuiltIn |
| Monitoring | Deploy-Diagnostics-MariaDB | [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace | Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-01-31 19:57:15 | ALZ |
| Security Center | efd4031d-b232-4595-babf-ae817348e91b | Configure Microsoft Defender for Containers plan | New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-01-31 19:57:15 | BuiltIn |
| Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. | Default Deny Allowed Audit, Deny, Disabled |
change |
Patch (2.1.0 > 2.1.1) Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2024-01-31 19:57:15 | ALZ | |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor (1.0.2 > 1.1.0) | 2024-01-31 19:57:15 | BuiltIn |
| Security Center | Deploy-MDFC-Arc-SQL-DCR-Association | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2024-01-31 19:57:15 | ALZ |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2024-01-31 19:57:15 | BuiltIn | |
| SQL | 78215662-041e-49ed-a9dd-5385911b3a1f | Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-24 19:15:51 | BuiltIn | |
| Synapse | 6ea81a52-5ca7-4575-9669-eaa910b7edf8 | Synapse Workspaces should have Microsoft Entra-only authentication enabled | Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (3.9.1 > 3.10.0) | 2024-01-24 19:15:51 | BuiltIn |
| SQL | 0c28c3fb-c244-42d5-a9bf-f35f2999577b | Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled | Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Stack HCI | 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 | [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Synapse | c3624673-d2ff-48e0-b28c-5de1c6767c3c | Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation | Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-24 19:15:51 | BuiltIn |
| SQL | b3a22bc9-66de-45fb-98fa-00f5df42f41a | Azure SQL Database should have Microsoft Entra-only authentication enabled | Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Backup | c7031eab-0fc0-4cd9-acd0-4497bd66d91a | [Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. | This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Stack HCI | 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad | [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.4.1 > 3.5.0) | 2024-01-24 19:15:51 | BuiltIn | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.4.1 > 4.5.0) | 2024-01-24 19:15:51 | BuiltIn |
| Synapse | 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 | Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation | Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-24 19:15:51 | BuiltIn | |
| Stack HCI | aee306e7-80b0-46f3-814c-d3d3083ed034 | [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Synapse | 738949be-6fd2-46b9-b969-99b53712b192 | Configure Synapse Workspaces to use only Microsoft Entra identities for authentication | Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn |
| Key Vault | d3e82b87-6673-410b-8501-1896b688b9a3 | [Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities | Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| Stack HCI | ae95f12a-b6fd-42e0-805c-6b94b86c9830 | [Deprecated]: Azure Stack HCI systems should have encrypted volumes | This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2024-01-24 19:15:51 | BuiltIn | |
| SQL | abda6d70-9778-44e7-84a8-06713e6db027 | Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-24 19:15:51 | BuiltIn | |
| Security Center - Granular Pricing | 9e4879d9-c2a0-4e40-8017-1a5a5327c843 | Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2024-01-22 17:47:54 | BuiltIn | |
| ElasticSan | 6a92fe1f-0b86-44ae-843d-2db3d2b571ae | ElasticSan should disable public network access | Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| ElasticSan | 1abc5157-29f8-4dbd-b28e-ff99526cb8b7 | ElasticSan Volume Group should use private endpoints | Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Security Center - Granular Pricing | 1b8c0040-b224-4ea1-be6a-47254dd5a207 | Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-01-22 17:47:54 | BuiltIn | |
| SQL | 80ed5239-4122-41ed-b54a-6f1fa7552816 | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-01-22 17:47:54 | BuiltIn | |
| BuiltInPolicyTest | 83a0809a-a4e3-4ef2-8a24-2afc156607af | [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels | Default Disabled Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 | [Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | e79ffbda-ff85-465d-ab8e-7e58a557660f | [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-01-22 17:47:54 | BuiltIn | |
| SQL | db048e65-913c-49f9-bb5f-1084184671d3 | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2024-01-22 17:47:54 | BuiltIn | |
| BuiltInPolicyTest | 85793e88-5a58-4555-93fa-4df63c86ae9c | [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. | Only deploy Registry Models in the allowed Registry and that are not restricted. | Default Disabled Allowed Deny, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2024-01-22 17:47:54 | BuiltIn | |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2024-01-22 17:47:54 | BuiltIn |
| Security Center | 2a6ae02f-7590-40d7-88ba-b18e205a32fd | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers | Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-01-22 17:47:54 | BuiltIn |
| SQL | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.0-deprecated > 1.2.0-deprecated) | 2024-01-22 17:47:54 | BuiltIn | |
| BuiltInPolicyTest | 98cec160-6f57-4d11-86e2-0a03290a3a8a | [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| BuiltInPolicyTest | fa8af49a-f61d-4f56-9138-46b77d37df43 | [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Backup | c58e083e-7982-4e24-afdc-be14d312389e | [Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. | This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Security Center - Granular Pricing | 080fedce-9d4a-4d07-abf0-9f036afbc9c8 | Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-01-22 17:47:54 | BuiltIn | |
| BuiltInPolicyTest | f8d398ae-0441-4921-a341-40f3973d4647 | [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn | This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Disabled Allowed Deny, Disabled |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn | |
| Security Center - Granular Pricing | f6ff485a-7630-4730-854d-cd3ad855435e | Configure Azure Defender for Servers to be disabled for all resources (resource level) | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) in the selected scope (subscription or resource group). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-01-22 17:47:54 | BuiltIn |
| VirtualEnclaves | ead33d15-8ff9-44d8-be85-24144ecc859e | Do not allow creation of resource types outside of the allowlist | This policy prevents deployment of resource types outside of the explicitly allowed types, in order to maintain security in a virtual enclave. https://aka.ms/VirtualEnclaves | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.1 > 1.4.0) | 2024-01-12 18:35:06 | BuiltIn |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (1.0.3 > 1.1.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.1 > 1.3.0) | 2024-01-12 18:35:06 | BuiltIn |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (2.1.0 > 2.1.1) | 2024-01-12 18:35:06 | BuiltIn | |
| Monitoring | 752154a7-1e0f-45c6-a880-ac75a7e4f648 | Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.1 > 2.0.2) | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2024-01-12 18:35:06 | BuiltIn | |
| Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-01-12 18:35:06 | BuiltIn |
| VirtualEnclaves | 337ef0ec-0703-499e-a57c-b4155034e606 | Do not allow creation of specified resource types or types under specific providers | The resource providers and types specified via parameter list are not allowed to be created without explicit approval from the security team. If an exemption is granted to the policy assignment, the resource can be leveraged within the enclave. https://aka.ms/VirtualEnclaves | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (1.2.2 > 1.3.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | bdc59948-5574-49b3-bb91-76b7c986428d | [Deprecated]: Azure Defender for DNS should be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.1 > 1.4.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | [Deprecated]: Configure Azure Defender for DNS to be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.2.2 > 1.3.0) | 2024-01-12 18:35:06 | BuiltIn |
| Backup | 31b8092a-36b8-434b-9af7-5ec844364148 | [Preview]: Soft delete must be enabled for Recovery Services Vaults. | This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 | Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.2 > 1.1.0) | 2024-01-12 18:35:06 | BuiltIn |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.2.0 > 2.3.0) | 2024-01-12 18:35:06 | BuiltIn | |
| Network | 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee | Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-01-12 18:35:06 | BuiltIn | |
| Network | 3e9965dc-cc13-47ca-8259-a4252fd0cf7b | Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.2 > 1.2.0) | 2024-01-12 18:35:06 | BuiltIn |
| VirtualEnclaves | f3a7bbfd-a810-47a6-b5ba-8e17d8cffb96 | Network interfaces should be connected to an approved subnet of the approved virtual network | This policy blocks network interfaces from connecting to a virtual network or subnet that is not approved. https://aka.ms/VirtualEnclaves | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | c6283572-73bb-4deb-bf2c-7a2b8f7462cb | SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan | To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.2 > 1.3.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.1 > 1.4.0) | 2024-01-12 18:35:06 | BuiltIn |
| Network | cd6f7aff-2845-4dab-99f2-6d1754a754b0 | Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-01-12 18:35:06 | BuiltIn |
| Network | 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d | Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Default Modify Allowed Modify, Audit, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.1 > 1.2.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.1 > 1.4.0) | 2024-01-12 18:35:06 | BuiltIn |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 090c7b07-b4ed-4561-ad20-e9075f3ccaff | Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-01-12 18:35:06 | BuiltIn | |
| Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.1.2 > 1.2.0) | 2024-01-12 18:35:06 | BuiltIn |
| Guest Configuration | ec2c1bce-5ad3-4b07-bb4f-e041410cd8db | [Preview]: Nexus Compute Machines should meet Security Baseline | Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-01-05 19:11:18 | BuiltIn | |
| Backup | 8f09fda1-91a2-4e14-96a2-67c6281158f7 | [Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. | Recovery Services vaults can be created with any one of three storage redundancy options today, namely, Locally-redundant Storage, Zone-redundant storage and Geo-redundant storage. If the policies in your organization requires you to block the creation of vaults that belong to a certain redundancy type, you may achieve the same using this Azure policy. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2023-12-19 19:28:10 | BuiltIn | |
| Security Center | 2a6ae02f-7590-40d7-88ba-b18e205a32fd | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers | Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-12-14 19:23:04 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (9.1.0 > 9.1.1) | 2023-12-14 19:23:04 | BuiltIn | |
| ElasticSan | 7698f4ed-80ce-4e13-b408-ee135fa400a5 | ElasticSan Volume Group should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-12-14 19:23:04 | BuiltIn | |
| Machine Learning | 19539b54-c61e-4196-9a38-67598701be90 | [Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry | Only deploy Registry Models in the allowed Registry and that are not restricted. | Fixed [parameters('effect')] |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| App Service | 153ab4ca-2d58-4b5d-9134-6d8c6bdd321c | Function app slots should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 075896de-f4f8-465b-b6d8-9e73725bb62d | [Preview]: Service Fabric Clusters should be Zone Redundant | Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Network | 27f7fb01-5fdb-44ad-954c-d582f8659533 | Bot Protection should be enabled for Azure Front Door WAF | This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| SQL | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2023-12-08 20:47:07 | BuiltIn |
| App Service | 2f7c08c2-f671-4282-9fdb-597b6ef2c10d | [Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | f16a3ca9-b57a-4392-b660-4c1f8442aa8d | [Preview]: SQL Elastic database pools should be Zone Redundant | SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| SQL | db048e65-913c-49f9-bb5f-1084184671d3 | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2023-12-08 20:47:07 | BuiltIn |
| App Service | ab6a902f-9493-453b-928d-62c30b11b5a6 | Function apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2023-12-08 20:47:07 | BuiltIn | |
| Guest Configuration | 14b4e776-9fab-44b0-b53f-38d2458ea8be | [Preview]: Extended Security Updates should be installed on Windows Server 2012 Arc machines. | Windows Server 2012 Arc machines should have installed all the Extended Security Updates released by Microsoft. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Network | ff1f1879-a60d-4f23-9641-41e7391ec19a | Azure Application Gateway should be deployed with Azure WAF | Requires Azure Application Gateway resources to be deployed with Azure WAF. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| App Service | 5b0bd968-5cb5-4513-8987-27786c6f0df8 | App Service app slots should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| API Management | 1dc2fc00-2245-4143-99f4-874c937f13ef | Azure API Management platform version should be stv2 | Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Network | ebea0d86-7fbd-42e3-8a46-27e7568c2525 | Bot Protection should be enabled for Azure Application Gateway WAF | This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| App Service | cf9ca02d-383e-4506-a421-258cc1a5300d | [Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 2dba5c7e-12a4-4be8-b208-f59bc49e88c2 | [Preview]: Public IP Prefixes should be Zone Resilient | Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 682e4ab9-59fe-4871-9839-265b54c568c4 | [Preview]: Public IP addresses should be Zone Resilient | Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| SQL | 80ed5239-4122-41ed-b54a-6f1fa7552816 | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2023-12-08 20:47:07 | BuiltIn |
| App Service | 19dd1db6-f442-49cf-a838-b0786b4401ef | App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 0fc92280-604b-4f23-9e04-5ef98d1a28df | [Preview]: SQL Managed Instances should be Zone Redundant | SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | ae243d87-5cf3-4dce-90bd-6d62be328de9 | [Preview]: Event Hubs should be Zone Redundant | Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | bdd8bbb2-1efd-48dc-a0fd-8ddcba2e96cd | [Preview]: Azure Managed Grafana should be Zone Redundant | Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2023-12-08 20:47:07 | BuiltIn | |
| Tags | 36fd7371-8eb7-4321-9c30-a7100022d048 | Requires resources to not have a specific tag. This is a versioning test built-in. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 2dec5f47-bc40-40d1-8c7d-a39d9d6808d1 | [Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant | Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 344ea7ca-2ba8-4d68-859b-317239714b2c | [Preview]: Managed Disks should be Zone Resilient | Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 6221cac0-bb8d-40f4-9535-5d03f713f054 | [Preview]: SQL Databases should be Zone Redundant | SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Resilience | 22888755-d824-4e43-8e0b-42d481836554 | [Preview]: App Service Plans should be Zone Redundant | App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| 165a4137-c3ed-4fd0-a17f-1c8a80266580 | n/a | n/a | remove |
165a4137-c3ed-4fd0-a17f-1c8a80266580 | 2023-12-08 20:47:07 (i) | BuiltIn | |||
| Resilience | da8a2248-6b4a-44a7-96bf-bf1c0dd208c3 | [Preview]: Virtual network gateways should be Zone Redundant | Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-12-08 20:47:07 | BuiltIn | |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-12-04 18:38:36 | BuiltIn | |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated) | 2023-12-04 18:38:36 | BuiltIn | |
| Service Bus | 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e | Configure Azure Service Bus namespaces to disable local authentication | Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Service Bus Data Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn |
| Event Grid | 67dcad1a-ec60-45df-8fd0-14c9d29eeaa2 | Azure Event Grid namespaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
| SQL | 40e85574-ef33-47e8-a854-7a65c7500560 | Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
| Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.1.0-preview > 1.1.1) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.0.1-preview > 1.0.2) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
| Event Grid | cddcbb7e-a7b1-4380-b4d8-45cf77b0d561 | Configure Azure Event Grid namespace MQTT broker with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
| Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
| Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Event Hubs Data Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn |
| Guest Configuration | ec2c1bce-5ad3-4b07-bb4f-e041410cd8db | [Preview]: Nexus Compute Machines should meet Security Baseline | Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
| Event Grid | cd8f7644-6fe8-4516-bded-0e465ead03ac | Azure Event Grid namespace MQTT broker should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.3.0-preview > 1.3.1) | 2023-11-17 19:29:28 | BuiltIn |
| Event Grid | 1301a000-bc6b-4d90-8414-7091e3abdc40 | Azure Event Grid namespace topic broker should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
| SQL | b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 | A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
| Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-11-17 19:29:28 | BuiltIn |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-11-17 19:29:28 | BuiltIn |
| Service Bus | cfb11c26-f069-4c14-8e36-56c394dae5af | Azure Service Bus namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-11-17 19:29:28 | BuiltIn | |
| Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, old suffix: preview (1.2.0-preview > 1.2.1) | 2023-11-17 19:29:28 | BuiltIn |
| Azure Arc | 4c660f31-eafb-408d-a2b3-6ed2260bd26c | [Preview]: Deny Extended Security Updates (ESUs) license creation or modification. | This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn | |
| Event Grid | 2b21ce34-9c45-4037-9c84-0ac0dbd0095f | Configure Azure Event Grid namespaces with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
| SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2023-11-17 19:29:28 | BuiltIn | |
| Azure Arc | 4864134f-d306-4ff5-94d8-ea4553b18c97 | [Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. | Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Guest Configuration Resource Contributor •Hybrid Server Resource Administrator |
add |
new Policy | 2023-11-17 19:29:28 | BuiltIn |
| Kubernetes | ca8d5704-aa2b-40cf-b110-dc19052825ad | Kubernetes clusters should minimize wildcard use in role and cluster role | Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn | |
| General | e624c84f-2923-4437-9fd9-4115c6da3888 | Configure subscriptions to set up preview features | This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn |
| SQL Server | f692cc79-76fb-4c61-8861-467e454ac6f8 | Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Extension for SQL Server Deployment •Reader |
add |
new Policy | 2023-11-14 18:14:48 | BuiltIn |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated) | 2023-11-14 18:14:48 | BuiltIn |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.3 > 1.0.4) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) | 2023-11-08 19:40:08 | BuiltIn |
| Security Center | 8ac833bd-f505-48d5-887e-c993a1d3eea0 | API endpoints in Azure API Management should be authenticated | API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-11-06 19:40:47 | BuiltIn | |
| Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.2-preview > 1.0.3) | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | 408934a8-941a-4c1e-ba88-dd035d9688f4 | [Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant | Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | 1bf67da8-b100-45bf-b89d-e4669fc54411 | [Preview]: Azure Cache for Redis should be Zone Redundant | Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5 | [Preview]: Azure Data Explorer Clusters should be Zone Redundant | Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc | [Preview]: Service Bus should be Zone Redundant | Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | 85b005b2-95fc-4953-b9cb-f9ee6427c754 | [Preview]: Storage Accounts should be Zone Redundant | Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Kubernetes | a3dc4946-dba6-43e6-950d-f96532848c9f | Kubernetes clusters should ensure that the cluster-admin role is only used where required | The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Kubernetes | 5c345cdf-2049-47e0-b8fe-b0e96bc2df35 | Azure Kubernetes Service Clusters should enable cluster auto-upgrade | AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | 9d2b0a20-57d6-474c-9d12-44a4a20999c6 | [Preview]: Container Registry should be Zone Redundant | Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Resilience | 42daa904-5969-47ef-92cb-b75df946195a | [Preview]: API Management Service should be Zone Redundant | API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-11-06 19:40:47 | BuiltIn | |
| Security Center | c8acafaf-3d23-44d1-9624-978ef0f8652c | API endpoints that are unused should be disabled and removed from the Azure API Management service | As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-11-06 19:40:47 | BuiltIn | |
| SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-11-06 19:40:47 | BuiltIn | |
| SQL | 78215662-041e-49ed-a9dd-5385911b3a1f | Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | 40f1aee2-4db4-4b74-acb1-c6972e24cca8 | Configure Node OS Auto upgrade on Azure Kubernetes Cluster | Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-31 19:02:40 | BuiltIn |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Resilience | d3903bdf-ab85-4cce-85d3-2934d77629d4 | [Preview]: Virtual Machine Scale Sets should be Zone Resilient | Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (2.0.3 > 2.0.4) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
| SQL Server | 7148a409-0d59-4baa-925b-b3aae486a14e | [Preview]: Enable system-assigned identity to SQL VM | Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Synapse | 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 | Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation | Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Synapse | c3624673-d2ff-48e0-b28c-5de1c6767c3c | Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation | Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Resilience | 44c5a1f9-7ef6-4c38-880c-273e8f7a3c24 | [Preview]: Cosmos Database Accounts should be Zone Redundant | Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (4.0.0 > 4.0.1) | 2023-10-31 19:02:40 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Kubernetes | 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 | [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| SQL | abda6d70-9778-44e7-84a8-06713e6db027 | Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-10-31 19:02:40 | BuiltIn | |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Resilience | 42f4f3a2-7d20-4c13-a05d-01857a626c22 | [Preview]: Virtual Machines should be Zone Aligned | Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-31 19:02:40 | BuiltIn | |
| Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) | 2023-10-31 19:02:40 | BuiltIn |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.1 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn |
| Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.0 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2023-10-23 17:41:36 | BuiltIn | |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (2.0.1 > 2.0.3) | 2023-10-23 17:41:36 | BuiltIn |
| Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview) | 2023-10-23 17:41:36 | BuiltIn |
| General | 78460a36-508a-49a4-b2b2-2f5ec564f4bb | Do not allow deletion of resource types | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. | Default DenyAction Allowed DenyAction, Disabled |
add |
new Policy | 2023-10-23 17:41:36 | BuiltIn | |
| Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration | AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-10-23 17:41:36 | BuiltIn | |
| Internet of Things | 43c323f6-0329-4f7c-a19a-6e5a5690d042 | Azure Device Update accounts should use customer-managed key to encrypt data at rest | Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-10-16 18:01:34 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (4.1.0 > 4.1.1) | 2023-10-16 18:01:34 | BuiltIn | |
| Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-10-16 18:01:34 | BuiltIn |
| Guest Configuration | 828ba269-bf7f-4082-83dd-633417bc391d | Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines | Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-16 18:01:34 | BuiltIn |
| Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-10-09 18:04:57 | BuiltIn |
| Network | Audit-PrivateLinkDnsZones | Audit the creation of Private Link Private DNS Zones | This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-10-05 18:01:59 | ALZ | |
| SQL | Deploy-MySQL-sslEnforcement | Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
| Container Registry | 84497762-32b6-4ab3-80b6-732ea48b85a2 | Container registries should prevent cache rule creation | Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-09-27 17:59:47 | BuiltIn | |
| SQL | Deploy-PostgreSQL-sslEnforcement | Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
| Monitoring | DenyAction-ActivityLogs | DenyAction implementation on Activity Logs | This is a DenyAction implementation policy on Activity Logs. | Fixed denyAction |
add |
new Policy | 2023-09-27 17:59:47 | ALZ | |
| Storage | Deploy-Storage-sslEnforcement | Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS | Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Storage Account Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
| SQL | Deploy-SqlMi-minTLS | SQL managed instances deploy a specific min TLS version requirement. | Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Managed Instance Contributor |
change |
Minor (1.0.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
| App Configuration | b08ab3ca-1062-4db3-8803-eec9cae605d6 | App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-27 17:59:47 | BuiltIn | |
| App Configuration | 72bc14af-4ab8-43af-b4e4-38e7983f9a1f | Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-27 17:59:47 | BuiltIn |
| Monitoring | Deploy-Diagnostics-CosmosDB | Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-09-27 17:59:47 | ALZ |
| SQL | Deploy-SQL-minTLS | SQL servers deploys a specific min TLS version requirement. | Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Server Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-27 17:59:47 | ALZ |
| Monitoring | DenyAction-DiagnosticLogs | DenyAction implementation on Diagnostic Logs. | DenyAction implementation on Diagnostic Logs. | Fixed denyAction |
add |
new Policy | 2023-09-27 17:59:47 | ALZ | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2023-09-22 17:59:46 | BuiltIn | |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
| Kubernetes | 40f1aee2-4db4-4b74-acb1-c6972e24cca8 | Configure Node OS Auto upgrade on Azure Kubernetes Cluster | Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-22 17:59:46 | BuiltIn |
| Kubernetes | 04408ca5-aa10-42ce-8536-98955cdddd4c | Azure Kubernetes Service Clusters should enable node os auto-upgrade | AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-09-22 17:59:46 | BuiltIn | |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn | |
| Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-09-22 17:59:46 | BuiltIn |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.2 > 1.0.3) | 2023-09-22 17:59:46 | BuiltIn |
| Managed Identity | fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f | [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners | This policy limits federation with GitHub repos to only approved repository owners. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-22 17:59:46 | BuiltIn | |
| Kubernetes | af3c26b2-6fad-493e-9236-9c68928516ab | Azure Kubernetes Service Clusters should enable Image Cleaner | Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-09-18 18:02:04 | BuiltIn | |
| Kubernetes | 7e49285c-4bed-4564-b26a-5225ccc311f3 | Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-18 18:02:04 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Patch, old suffix: preview (4.4.0-preview > 4.4.1) | 2023-09-18 18:02:04 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, old suffix: preview (3.9.0-preview > 3.9.1) | 2023-09-18 18:02:04 | BuiltIn |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (3.4.0-preview > 3.4.1) | 2023-09-18 18:02:04 | BuiltIn | |
| Media Services | daccf7e4-9808-470c-a848-1c5b582a1afb | Azure Media Services content key policies should use token authentication | Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-18 18:02:04 | BuiltIn | |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, old suffix: preview (2.2.0-preview > 2.2.1) | 2023-09-18 18:02:04 | BuiltIn |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Tags | 36fd7371-8eb7-4321-9c30-a7100022d048 | Requires resources to not have a specific tag. This is a versioning test built-in. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-09-11 17:59:12 | BuiltIn | |
| Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.2.1-preview > 1.2.2) | 2023-09-11 17:59:12 | BuiltIn |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, old suffix: preview (3.1.0-preview > 3.1.1) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (1.1.1-preview > 1.1.2) | 2023-09-11 17:59:12 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) | 2023-09-11 17:59:12 | BuiltIn | |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch, old suffix: preview (3.1.0-preview > 3.1.1) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2023-09-11 17:59:12 | BuiltIn |
| Kubernetes | 5dc99dae-cfb2-42cc-8762-9aae02b74e27 | [Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2023-09-01 18:00:13 | BuiltIn |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) | 2023-09-01 18:00:13 | BuiltIn |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (2.0.0 > 2.1.0) | 2023-09-01 18:00:13 | BuiltIn |
| Key Vault | a2a5b911-5617-447e-a49e-59dbe0e0434b | Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
| Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.0.2 > 1.1.0) | 2023-09-01 18:00:13 | BuiltIn |
| Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) | 2023-09-01 18:00:13 | BuiltIn |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-09-01 18:00:13 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-28 18:00:34 | BuiltIn | |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-28 18:00:34 | BuiltIn |
| ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2023-08-28 18:00:34 | BuiltIn |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) | 2023-08-28 18:00:34 | BuiltIn | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2023-08-28 18:00:34 | BuiltIn |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-28 18:00:34 | BuiltIn |
| Security Center | 3592ff98-9787-443a-af59-4505d0fe0786 | Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 65503269-6a54-4553-8a28-0065a8e6d929 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (2.3.0 > 2.4.0) | 2023-08-22 17:59:24 | BuiltIn |
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-22 17:59:24 | BuiltIn | |
| Kubernetes | cf426bb8-b320-4321-8545-1b784a5df3a4 | [Image Integrity] Kubernetes clusters should only use images signed by notation | Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn | |
| Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | cbdd12e1-193a-445c-9926-560118c6daaa | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-22 17:59:24 | BuiltIn |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
| Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-08-11 17:58:20 | BuiltIn | |
| Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch (1.0.2 > 1.0.3) | 2023-08-11 17:58:20 | BuiltIn | |
| Security Center | 640d2586-54d2-465f-877f-9ffc1d2109f4 | Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-11 17:58:20 | BuiltIn | |
| Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.1 > 1.0.2) | 2023-08-11 17:58:20 | BuiltIn |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) | 2023-08-11 17:58:20 | BuiltIn |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| App Service | cd794351-e536-40f4-9750-503a463d8cad | Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 | [Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-08-03 17:56:09 | BuiltIn | |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| Container Instance | 41ebf9df-66cb-48e9-a8d0-98afb4e150ce | Configure diagnostic settings for container groups to Log Analytics workspace | Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn |
| App Service | 242222f3-4985-4e99-b5ef-086d6a6cb01c | Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
| General | 335d919a-dc24-4a94-b7cb-9f81b1a8156f | Do Not Allow MCPP resources | Block creation of MCPP resources. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| Kubernetes | 2cc2e023-0dac-4046-875b-178f683929d5 | Azure Kubernetes Service Clusters should enable workload identity | Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview) | 2023-08-03 17:56:09 | BuiltIn |
| Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-08-03 17:56:09 | BuiltIn | |
| General | 176b7c36-ac64-4f15-a296-50bd7fafab12 | Do Not Allow M365 resources | Block creation of M365 resources. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
| Security Center | 8ac833bd-f505-48d5-887e-c993a1d3eea0 | API endpoints in Azure API Management should be authenticated | API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| Security Center | c8acafaf-3d23-44d1-9624-978ef0f8652c | API endpoints that are unused should be disabled and removed from the Azure API Management service | As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| General | 16fabb5c-7379-4433-8009-042066fa3a16 | Exclude Usage Costs Resources | This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-08-03 17:56:09 | BuiltIn |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
| Kubernetes | e1352e44-d34d-4e4d-a22e-451a15f759a1 | Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster | Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | e79ffbda-ff85-465d-ab8e-7e58a557660f | [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-08-03 17:56:09 | BuiltIn | |
| App Service | c6c3e00e-d414-4ca4-914f-406699bb8eee | Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
| App Service | 2374605e-3e0b-492b-9046-229af202562c | Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-08-03 17:56:09 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-08-03 17:56:09 | BuiltIn | |
| Cost Optimization | Audit-AzureHybridBenefit | Audit AHUB for eligible VMs | Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-25 17:56:05 | ALZ | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview) | 2023-07-25 17:56:05 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview) | 2023-07-25 17:56:05 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview) | 2023-07-24 17:56:14 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) | 2023-07-24 17:56:14 | BuiltIn |
| Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
| Guest Configuration | 480d0f91-30af-4a76-9afb-f5710ac52b09 | Private endpoints for Guest Configuration assignments should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-07-24 17:56:14 | BuiltIn | |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
| Backup | d6f6f560-14b7-49a4-9fc8-d2c3a9807868 | [Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-24 17:56:14 | BuiltIn | |
| Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
| Security Center | 766e621d-ba95-4e43-a6f2-e945db3d7888 | Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2023-07-24 17:56:14 | BuiltIn |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-07-24 17:56:14 | BuiltIn | |
| Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-07-24 17:56:14 | BuiltIn | |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-07-14 17:56:09 | BuiltIn |
| Compute | c3921d55-b741-4d16-8d56-7f16e99e6892 | Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. | When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-07-14 17:56:09 | BuiltIn |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-07-14 17:56:09 | BuiltIn |
| Storage | c36a325b-ae04-4863-ad4f-19c6678f8e08 | Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview) | 2023-07-10 18:02:26 | BuiltIn |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-07-10 18:02:26 | BuiltIn |
| SQL Managed Instance | bb3c7464-033e-41ee-81dc-480fde675b20 | TLS protocol 1.2 must be used for Arc SQL managed instances. | As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
| SQL Managed Instance | 6599ab01-29bc-4852-a6f5-de9e2151714a | Transparent Data Encryption must be enabled for Arc SQL managed instances. | Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) | 2023-07-10 18:02:26 | BuiltIn |
| Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.1 > 1.0.2) | 2023-07-10 18:02:26 | BuiltIn |
| SQL Managed Instance | 413923f0-ff16-41ae-8583-90c5c5d9fa8f | Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. | As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn | |
| Storage | 978deb5d-c9a7-41f8-b4b2-b76880d0de1f | Modify - Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2023-07-10 18:02:26 | BuiltIn |
| Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-07-07 17:55:09 | ALZ | |
| SQL | Deploy-Sql-vulnerabilityAssessments_20230706 | Deploy SQL Database Vulnerability Assessments | Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
add |
new Policy Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments) |
2023-07-07 17:55:09 | ALZ |
| SQL | Deploy-Sql-vulnerabilityAssessments | [Deprecated]: Deploy SQL Database vulnerability Assessments | Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ |
2023-07-07 17:55:09 | ALZ |
| Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-07-03 17:55:16 | BuiltIn | |
| Backup | 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda | [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-07-03 17:55:16 | BuiltIn |
| Backup | f19b0c83-716f-4b81-85e3-2dbf057c35d6 | [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-07-03 17:55:16 | BuiltIn |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated) | 2023-06-26 17:52:13 | BuiltIn |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.1.0 > 1.2.0) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Security Center | 3ac7c827-eea2-4bde-acc7-9568cd320efa | Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-06-26 17:52:13 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2023-06-26 17:52:13 | BuiltIn |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.1.0 > 8.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Key Vault | d8cf8476-a2ec-4916-896e-992351803c44 | Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. | Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.1.0 > 7.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.1.0 > 5.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.1.0 > 5.1.1) | 2023-06-26 17:52:13 | BuiltIn | |
| Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-06-26 17:52:13 | BuiltIn | |
| Storage | Deny-FileServices-InsecureSmbChannel | File Services with insecure SMB channel encryption should be denied | This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Network | Deny-UDR-With-Specific-NextHop | User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied | This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Storage | Deny-StorageAccount-CustomDomain | Storage Accounts with custom domains assigned should be denied | This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Storage | Deny-Storage-SFTP | Storage Accounts with SFTP enabled should be denied | This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Storage | Deny-FileServices-InsecureKerberos | File Services with insecure Kerberos ticket encryption should be denied | This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Network | Deny-Subnet-Without-Penp | Subnets without Private Endpoint Network Policies enabled should be denied | This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Machine Learning | Deny-MachineLearning-PublicNetworkAccess | [Deprecated] Azure Machine Learning should have disabled public network access | Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html | Default Deny Allowed Audit, Disabled, Deny |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn |
2023-06-20 20:17:42 | ALZ | |
| SQL | Deny-PublicEndpoint-MariaDB | [Deprecated] Public network access should be disabled for MariaDB | This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn |
2023-06-20 20:17:42 | ALZ | |
| Storage | Deny-FileServices-InsecureAuth | File Services with insecure authentication methods should be denied | This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Storage | Deny-FileServices-InsecureSmbVersions | File Services with insecure SMB versions should be denied | This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-06-20 20:17:42 | ALZ | |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
| Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (5.0.0 > 5.1.0) | 2023-06-16 17:46:02 | BuiltIn | |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
| Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-06-16 17:46:02 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) | 2023-06-16 17:46:02 | BuiltIn |
| Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) | 2023-06-16 17:46:02 | BuiltIn |
| App Service | 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba | App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn | |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2023-06-09 17:46:13 | BuiltIn | |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated) | 2023-06-09 17:46:13 | BuiltIn | |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-06-09 17:46:13 | BuiltIn |
| Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn | |
| Backup | 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda | [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn |
| Backup | f19b0c83-716f-4b81-85e3-2dbf057c35d6 | [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn |
| Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn | |
| Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2023-06-06 18:29:21 | BuiltIn | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn |
| Security Center | 13a6c84f-49a5-410a-b5df-5b880c3fe009 | [Preview]: Linux virtual machines should use only signed and trusted boot components | All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-06-06 18:29:21 | BuiltIn | |
| Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-06-06 18:29:21 | BuiltIn |
| Monitoring | Deploy-Diagnostics-Firewall | Deploy Diagnostic Settings for Firewall to Log Analytics workspace | Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-05-30 30:17:42 | ALZ |
| Azure Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-26 17:43:09 | BuiltIn | |
| Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-05-26 17:43:09 | BuiltIn |
| Azure Databricks | 0eddd7f3-3d9b-4927-a07a-806e8ac9486c | Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-26 17:43:09 | BuiltIn |
| Cosmos DB | 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 | Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-26 17:43:09 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.3 > 4.0.4) | 2023-05-26 17:43:09 | BuiltIn |
| Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn | |
| Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-26 17:43:09 | BuiltIn | |
| Cosmos DB | dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 | Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Modify Allowed Modify, Disabled |
count: 001 •DocumentDB Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-26 17:43:09 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2023-05-26 17:43:09 | BuiltIn |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-05-26 17:43:09 | BuiltIn |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2023-05-26 17:43:09 | BuiltIn |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (5.0.0 > 5.0.1) | 2023-05-26 17:43:09 | BuiltIn |
| App Service | Append-AppService-latestTLS | AppService append sites with minimum TLS version to enforce. | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. | Default Append Allowed Append, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 22:17:43 | ALZ | |
| Monitoring | Deploy-Diagnostics-APIMgmt | Deploy Diagnostic Settings for API Management to Log Analytics workspace | Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-05-22 22:17:43 | ALZ |
| Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn |
| Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Machine Learning | f59276f0-5740-4aaf-821d-45d185aa210e | Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
| Security Center | 090c7b07-b4ed-4561-ad20-e9075f3ccaff | Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-22 17:43:18 | BuiltIn | |
| Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Azure Databricks | 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| App Service | cca5adfe-626b-4cc6-8522-f5b6ed2391bd | Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn |
| Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
| Machine Learning | afe0c3be-ba3b-4544-ba52-0c99672a8ad6 | Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
| Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-22 17:43:18 | BuiltIn | |
| Data Factory | 3d02a511-74e5-4dab-a5fd-878704d4a61a | [Preview]: Azure Data Factory pipelines should only communicate with allowed domains | To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2023-05-22 17:43:18 | BuiltIn | |
| App Service | 70adbb40-e092-42d5-a6f8-71c540a5efdb | Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn |
| Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Machine Learning | 7804b5c7-01dc-4723-969b-ae300cc07ff1 | Azure Machine Learning Computes should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-22 17:43:18 | BuiltIn |
| Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-05-22 17:43:18 | BuiltIn | |
| Security Center | a1181c5f-672a-477a-979a-7d58aa086233 | Security Center standard pricing tier should be selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-22 17:43:18 | BuiltIn | |
| Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. | Default Deny Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-05-17 17:17:42 | ALZ | |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-16 17:42:35 | BuiltIn | |
| SQL | e27a6dfc-883f-4f9e-97cc-a819fe702400 | [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled | This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2023-05-16 17:42:35 | BuiltIn | |
| Azure Data Explorer | 8945ba5e-918e-4a57-8117-fe615d12e3ba | All Database Admin on Azure Data Explorer should be disabled | Disable all database admin role to restrict granting highly privileged/administrative user role. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-16 17:42:35 | BuiltIn | |
| Security Center | 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 | Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-12 17:41:51 | BuiltIn | |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-05-12 17:41:51 | BuiltIn |
| Data Factory | 496ca26b-f669-4322-a1ad-06b7b5e41882 | Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Data Factory Contributor •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-12 17:41:51 | BuiltIn |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) | 2023-05-12 17:41:51 | BuiltIn |
| Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
| Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed deployIfNotExists |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-05-05 17:42:17 | BuiltIn |
| Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
| Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-05-05 17:42:17 | BuiltIn | |
| SQL Server | f36de009-cacb-47b3-b936-9c4c9120d064 | Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. | Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-05 17:42:17 | BuiltIn |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | 46dad49f-8945-44d7-9bb1-2e1542f627d3 | App Service app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | e3576e28-8b17-4677-84c3-db2990658d64 | [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn |
| App Service | 9c014953-ef68-4a98-82af-fd0f6b2306c8 | App Service app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| SQL | 40e85574-ef33-47e8-a854-7a65c7500560 | Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn |
| Security Center | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | [Deprecated]: Deprecated accounts should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | f8456c1c-aa66-4dfb-861a-25d127b775c9 | [Deprecated]: External accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | [Deprecated]: Configure Azure Defender for DNS to be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
| Security Center | 74c30959-af11-47b3-9ed2-a26e03f427a3 | Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
| SQL | e27a6dfc-883f-4f9e-97cc-a819fe702400 | [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled | This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | [Deprecated]: External accounts with read permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | e1d1b522-02b0-4d18-a04f-5ab62d20445f | Function app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | [Deprecated]: External accounts with write permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| API Management | ffe25541-3853-4f4e-b71d-064422294b11 | API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | f466b2a6-823d-470d-8ea5-b031e72d79ae | App Service app slots that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | aa633080-8b72-40c4-a2d7-d00c03e80bed | [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.1 > 3.2.1) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.0.1 > 8.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.0.1 > 9.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 50ea7265-7d8c-429e-9a7d-ca1f410191c3 | Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | c9ddb292-b203-4738-aead-18e2716e858f | Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| App Service | 829b40f3-d3db-4fd2-be46-76663d3aeeb2 | Function app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 | Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.1 > 1.0.2) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.2 > 4.0.3) | 2023-05-01 17:41:52 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.1 > 5.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Security Center | b99b73e7-074b-4089-9395-b7236f094491 | Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-05-01 17:41:52 | BuiltIn |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2023-05-01 17:41:52 | BuiltIn | |
| Cache | Append-Redis-disableNonSslPort | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Append Allowed Append, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-25 25:17:42 | ALZ | |
| Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
| Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
| Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
| Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-04-25 17:42:14 | BuiltIn | |
| Security Center | af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 | Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data | Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-25 17:42:14 | BuiltIn |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-04-25 17:42:14 | BuiltIn |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-04-17 17:42:20 | BuiltIn |
| SQL Server | f36de009-cacb-47b3-b936-9c4c9120d064 | Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. | Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn |
| Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2023-04-17 17:42:20 | BuiltIn | |
| Managed Grafana | 67529aa1-5285-4b1c-8e6f-5ccd861ac98e | Configure Azure Managed Grafana workspaces to disable public network access | Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn |
| API Management | ffe25541-3853-4f4e-b71d-064422294b11 | API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-17 17:42:20 | BuiltIn | |
| API Management | 1b0d74ac-4b43-4c39-a15f-594385adc38d | Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Modify Allowed Modify |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-04-17 17:42:20 | BuiltIn |
| SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2023-04-17 17:17:42 | ALZ |
| Network | Deny-RDP-From-Internet | [Deprecated] RDP access from the Internet should be blocked | This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated) Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ |
2023-04-17 17:17:42 | ALZ | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.1.0 > 3.1.1) | 2023-04-11 17:42:55 | BuiltIn | |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Network | 2f080164-9f4d-497e-9db6-416dc9f7b48a | Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 17:42:16 | BuiltIn |
| Managed Identity | ae62c456-33de-4dc8-b100-7ce9028a7d99 | [Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources | This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.2.0 > 2.3.0) | 2023-04-06 17:42:16 | BuiltIn |
| Tags | 36fd7371-8eb7-4321-9c30-a7100022d048 | Requires resources to not have a specific tag. This is a versioning test built-in. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
| SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2023-04-06 17:42:16 | BuiltIn |
| Network | cd6f7aff-2845-4dab-99f2-6d1754a754b0 | Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
| Managed Identity | 2571b7c3-3056-4a61-b00a-9bc5232234f5 | [Preview]: Managed Identity Federated Credentials should be from allowed issuer types | This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Network | 27960feb-a23c-4577-8d36-ef8b5f35e0be | All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
| Network | 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee | Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
| Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2023-04-06 17:42:16 | BuiltIn |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Network | 3e9965dc-cc13-47ca-8259-a4252fd0cf7b | Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 17:42:16 | BuiltIn |
| Managed Identity | fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f | [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners | This policy limits federation with GitHub repos to only approved repository owners. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2023-04-06 17:42:16 | BuiltIn | |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.2.0 > 2.3.0) | 2023-04-06 17:42:16 | BuiltIn |
| Monitoring | Deploy-Diagnostics-WVDHostPools | Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-04-06 06:17:42 | ALZ |
| Cost Optimization | Audit-Disks-UnusedResourcesCostOptimization | Unused Disks driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
| Cost Optimization | Audit-ServerFarms-UnusedResourcesCostOptimization | Unused App Service plans driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
| SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2023-04-06 06:17:42 | ALZ |
| Network | Audit-PrivateLinkDnsZones | Audit the creation of Private Link Private DNS Zones | This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
| Network | Deny-RDP-From-Internet | [Deprecated] RDP access from the Internet should be blocked | This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ |
2023-04-06 06:17:42 | ALZ | |
| Monitoring | Deploy-Diagnostics-EventGridTopic | Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-04-06 06:17:42 | ALZ |
| Network | Deny-MgmtPorts-From-Internet | Management port access from the Internet should be blocked | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet) |
2023-04-06 06:17:42 | ALZ | |
| Compute | Deploy-Vm-autoShutdown | Deploy Virtual Machine Auto Shutdown Schedule | Deploys an auto shutdown schedule to a virtual machine | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2023-04-06 06:17:42 | ALZ |
| Cost Optimization | Audit-PublicIpAddresses-UnusedResourcesCostOptimization | Unused Public IP addresses driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-04-06 06:17:42 | ALZ | |
| Monitoring | Deploy-Diagnostics-VWanS2SVPNGW | Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2023-04-06 06:17:42 | ALZ |
| Security Center | 74c30959-af11-47b3-9ed2-a26e03f427a3 | Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
| API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management should disable public network access to the service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn | |
| Key Vault | 405c5871-3e91-4644-8a63-58e19d68ff5b | Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-31 17:44:15 | BuiltIn | |
| Cosmos DB | da69ba51-aaf1-41e5-8651-607cd0b37088 | Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Modify Allowed Modify, Disabled |
count: 002 •Contributor •DocumentDB Account Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
| Network | 4598f028-de1f-4694-8751-84dceb5f86b9 | Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
| Network | ca85ef9a-741d-461d-8b7a-18c2da82c666 | Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
| API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-31 17:44:15 | BuiltIn | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-03-31 17:44:15 | BuiltIn | |
| Network | 882e19a6-996f-400e-a30f-c090887254f4 | Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
| API Management | 1b0d74ac-4b43-4c39-a15f-594385adc38d | Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Modify Allowed Modify |
count: 001 •Contributor |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
| Network | e52e8487-4a97-48ac-b3e6-1c3cef45d298 | Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
| API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable access to API Management public service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •API Management Service Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-31 17:44:15 | BuiltIn |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2023-03-31 17:44:15 | BuiltIn | |
| Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
| Monitoring | cd906338-3453-47ba-9334-2d654bf845af | Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled | Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.3.0 > 3.4.0) | 2023-03-31 17:44:15 | BuiltIn |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-31 17:44:15 | BuiltIn | |
| Security Center | 17bc14a7-92e1-4551-8b8c-80f36953e166 | Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2023-03-31 17:44:15 | BuiltIn |
| Storage | 361c2074-3595-4e5d-8cab-4f21dffc835c | Deploy Defender for Storage (Classic) on storage accounts | This policy enables Defender for Storage (Classic) on storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-31 17:44:15 | BuiltIn |
| Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn | |
| Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (2.0.1 > 2.0.2) | 2023-03-27 17:43:07 | BuiltIn | |
| Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| App Service | a08ae1ab-8d1d-422b-a123-df82b307ba61 | App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-03-27 17:43:07 | BuiltIn | |
| Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Azure Databricks | 0eddd7f3-3d9b-4927-a07a-806e8ac9486c | Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn | |
| Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-27 17:43:07 | BuiltIn |
| Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
| SignalR | 62a3ae95-8169-403e-a2d2-b82141448092 | Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2023-03-17 18:44:06 | BuiltIn | |
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-03-17 18:44:06 | BuiltIn | |
| Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
| Container Instances | 21c469fa-a887-4363-88a9-60bfd6911a15 | Configure diagnostics for container group to log analytics workspace | Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. | Default Append Allowed Append, Disabled |
add |
new Policy | 2023-03-17 18:44:06 | BuiltIn | |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-03-17 18:44:06 | BuiltIn | |
| Machine Learning | 45e05259-1eb5-4f70-9574-baf73e9d219b | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-03-17 18:44:06 | BuiltIn | |
| SignalR | 21a9766a-82a5-4747-abb5-650b6dbba6d0 | Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-03-17 18:44:06 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.1 > 4.0.2) | 2023-03-17 18:44:06 | BuiltIn |
| Azure Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn | |
| Backup | 04726aae-4e8d-427c-af7d-ecf56d490022 | [Preview]: Configure Azure Recovery Services vaults to disable public network access | Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Modify Allowed Modify, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
| Managed Grafana | bc33de80-97cd-4c11-b6b4-d075e03c7d60 | Configure Azure Managed Grafana dashboards with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
| Managed Grafana | 4c8537f8-cd1b-49ec-b704-18e82a42fd58 | Configure Azure Managed Grafana workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-03-10 18:58:56 | BuiltIn |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.2.0 > 3.3.0) | 2023-03-03 18:43:58 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) | 2023-03-03 18:43:58 | BuiltIn |
| Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-03-03 18:43:58 | BuiltIn | |
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-03-03 18:43:58 | BuiltIn | |
| Kubernetes | a8e653d9-b5d4-48a0-afe6-14d881f9ee9a | Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed | Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2023-03-03 18:43:58 | BuiltIn |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) | 2023-02-27 19:03:54 | BuiltIn | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
| Azure Data Explorer | a47272e1-1d5d-4b0b-b366-4873f1432fe0 | Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SQL Server Contributor |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn |
| Managed Grafana | e8775d5a-73b7-4977-a39b-833ef0114628 | Azure Managed Grafana workspaces should disable public network access | Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn | |
| Azure Data Explorer | 7b32f193-cb28-4e15-9a98-b9556db0bafa | Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . | Default Modify Allowed Modify, Disabled |
count: 001 •SQL Server Contributor |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
| Managed Grafana | 3a97e513-f75e-4230-8137-1efad4eadbbc | Azure Managed Grafana should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Automanage | fb97d6e1-5c98-4743-a439-23e0977bad9e | [Preview]: Boot Diagnostics should be enabled on virtual machines | Azure virtual machines should have boot diagniostics enabled. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change |
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) | 2023-02-27 19:03:54 | BuiltIn |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
| Azure Data Explorer | 1fec9658-933f-4b3e-bc95-913ed22d012b | Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn |
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-02-27 19:03:54 | BuiltIn | |
| Azure Data Explorer | 43bc7be6-5e69-4b0d-a2bb-e815557ca673 | Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Azure Data Explorer | f7735886-8927-431f-b201-c953922512b8 | Azure Data Explorer cluster should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-27 19:03:54 | BuiltIn | |
| Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2023-02-23 23:18:45 | ALZ |
| Monitoring | Deploy-Diagnostics-PostgreSQL | Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2023-02-23 23:18:45 | ALZ |
| Desktop Virtualization | e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 | Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Desktop Virtualization | 7b331e6b-6096-4395-a754-758a64505f19 | Configure Azure Virtual Desktop hostpools with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Minor (3.0.1 > 3.1.0) | 2023-02-16 18:41:08 | BuiltIn |
| Desktop Virtualization | a22065a3-3b04-46ff-b84c-2d30e5c300d0 | Azure Virtual Desktop hostpools should disable public network access only on session hosts | Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | 02aa841c-42e8-492f-a43d-1f2c67e58d41 | Configure Azure Virtual Desktop workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Desktop Virtualization | ce6ebf1d-0b94-4df9-9257-d8cacc238b4f | Configure Azure Virtual Desktop workspaces to disable public network access | Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Workspace Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (3.0.1 > 3.1.0) | 2023-02-16 18:41:08 | BuiltIn |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | 2a0913ff-51e7-47b8-97bb-ea17127f7c8d | Configure Azure Virtual Desktop hostpools to disable public network access | Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Desktop Virtualization Host Pool Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) | 2023-02-16 18:41:08 | BuiltIn | |
| Automanage | e4953962-5ae4-43eb-bb92-d66fd5563487 | [Preview]: A managed identity should be enabled on your machines | Resources managed by Automanage should have a managed identity. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | 87ac3038-c07a-4b92-860d-29e270a4f3cd | Azure Virtual Desktop workspaces should disable public network access | Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | 9427df23-0f42-4e1e-bf99-a6133d841c4a | Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Automanage | fd4726f4-a5fc-4540-912d-67c96fc992d5 | [Preview]: Automanage Configuration Profile Assignment should be Conformant | Resources managed by Automanage should have a status of Conformant or ConformantCorrected. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | 34804460-d88b-4922-a7ca-537165e060ed | Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn |
| Desktop Virtualization | c25dcf31-878f-4eba-98eb-0818fdc6a334 | Azure Virtual Desktop hostpools should disable public network access | Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Desktop Virtualization | ca950cd7-02f7-422e-8c23-91ff40f169c1 | Azure Virtual Desktop service should use private link | Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-02-16 18:41:08 | BuiltIn | |
| Monitoring | Deploy-Diagnostics-VNetGW | Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2023-02-16 16:18:41 | ALZ |
| Monitoring | Deploy-Diagnostics-Website | Deploy Diagnostic Settings for App Service to Log Analytics workspace | Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-02-16 16:18:41 | ALZ |
| Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | fe85de62-a656-4b79-9d94-d95c89319bd9 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | ed6ae75a-828f-4fea-88fd-dead1145f1dd | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | b88bfd90-4da5-43eb-936f-ae1481924291 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 567c93f7-3661-494f-a30f-0a94d9bfebf8 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | e9c56c41-d453-4a80-af93-2331afeb3d82 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 818719e5-1338-4776-9a9d-3c31e4df5986 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6b359d8f-f88d-4052-aa7c-32015963ecc1 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f969646f-b6b8-45a0-b736-bf9b4bb933dc | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | aec4c33f-2f2a-4fd3-91cd-24a939513c60 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 14e81583-c89c-47db-af0d-f9ddddcccd9f | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0925a080-ab8d-44a1-a39c-61e184b4d8f9 | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 614d9fbd-68cd-4832-96db-3362069661b2 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 8656d368-0643-4374-a63f-ae0ed4da1d9a | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | d147ba9f-3e17-40b1-9c23-3bca478ba804 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 | Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | e20f31d7-6b6d-4644-962a-ae513a85ab0b | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 94d707a8-ce27-4851-9ce2-07dfe96a095b | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2023-02-10 18:41:56 | BuiltIn | |
| Monitoring | 03a087c0-b49f-4440-9ae5-013703eccc8c | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | be9259e2-a221-4411-84fd-dd22c6691653 | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0e0c742d-5031-4e65-bf96-1bee7cf55740 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6567d3f3-42d0-4cfb-9606-9741ba60fa07 | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 3dd58519-427e-42a4-8ffc-e415a3c716f1 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | b4a9c220-1d62-4163-a17b-30db7d5b7278 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | bf6af3d2-fbd5-458f-8a40-2556cf539b45 | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f873a711-0322-4744-8322-7e62950fbec2 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 39741c6f-5e8b-4511-bba4-6662d0e0e2ac | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f8352124-56fa-4f94-9441-425109cdc14b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 93a604fe-0ec2-4a99-ab8c-7ef08f05555a | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 56288eb2-4350-461d-9ece-2bb242269dce | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 0da6faeb-d6c6-4f6e-9f49-06277493270b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 46b2dd5d-3936-4347-8908-b298ea4466d3 | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 50cebe4c-8021-4f07-bcb2-6c80622444a9 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| SQL | 146412e9-005c-472b-9e48-c87b72ac229e | A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn | |
| Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 106cd3bd-50a1-466c-869f-f9c2d310477b | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 69ab8bfc-dc5b-443d-93a7-7531551dec66 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | fc66c506-9397-485e-9451-acc1525f0070 | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 90c90eda-bfe7-4c67-bf26-410420ed1047 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 4b05de63-3ad2-4f6d-b421-da21f1328f3b | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | b797045a-b3cd-46e4-adc4-bbadb3381d78 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 00ec9865-beb6-4cfd-82ed-bd8f50756acd | Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 441af8bf-7c88-4efc-bd24-b7be28d4acce | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6f3f5778-f809-4755-9d8f-bd5a5a7add85 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 3496f6fd-57ba-485c-8a14-183c4493b781 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | f08edf17-5de2-4966-8c62-a50a3f4368ff | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 34c7546c-d637-4b5d-96ab-93fb6ed07af8 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 20f21bc7-b0b8-4d57-83df-5a8a0912b934 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a8de4d0a-d637-4684-b70e-6df73b74d117 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | edf35972-ed56-4c2f-a4a1-65f0471ba702 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| SQL | b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 | A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn | |
| Monitoring | b90ec596-faa6-4c61-9515-34085703e260 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2023-02-10 18:41:56 | BuiltIn | |
| Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 1513498c-3091-461a-b321-e9b433218d28 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 07c818eb-df75-4465-9233-6a8667e86670 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | c3b912c2-7f5b-47ac-bd52-8c85a7667961 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 69214fad-6742-49a9-8f71-ee9d269364ab | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | d3e11828-02c8-40d2-a518-ad01508bb4d7 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 55d1f543-d1b0-4811-9663-d6d0dbc6326d | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 9f4e810a-899e-4e5e-8174-abfcf15739a3 | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2023-02-10 18:41:56 | BuiltIn |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2023-02-03 18:39:01 | BuiltIn | |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.1.0 > 2.2.0) | 2023-02-03 18:39:01 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2023-02-03 18:39:01 | BuiltIn |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-02-03 18:39:01 | BuiltIn |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.1.0 > 2.2.0) | 2023-02-03 18:39:01 | BuiltIn |
| Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.2.1) | 2023-02-03 18:39:01 | BuiltIn | |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2023-02-03 18:39:01 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2023-02-03 18:39:01 | BuiltIn |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2023-02-03 18:39:01 | BuiltIn | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2023-01-27 18:40:07 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.1.0 > 3.2.0) | 2023-01-27 18:40:07 | BuiltIn |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-01-27 18:40:07 | BuiltIn |
| API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-27 18:40:07 | BuiltIn | |
| Key Vault | 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 | Azure Key Vault should use RBAC permission model | Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-27 18:40:07 | BuiltIn | |
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2023-01-27 18:40:07 | BuiltIn |
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2023-01-27 18:40:07 | BuiltIn |
| Machine Learning | Deny-MachineLearning-PublicAccessWhenBehindVnet | Deny public access behind vnet to Azure Machine Learning workspace | Deny public access behind vnet to Azure Machine Learning workspaces. | Default Deny Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-24 24:18:06 | ALZ | |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2023-01-23 18:07:09 | BuiltIn | |
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn |
| Backup | 2514263b-bc0d-4b06-ac3e-f262c0979018 | [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-01-23 18:07:09 | BuiltIn | |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-23 18:07:09 | BuiltIn | |
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-23 18:07:09 | BuiltIn |
| Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2023-01-23 18:07:09 | BuiltIn |
| Backup | 9798d31d-6028-4dee-8643-46102185c016 | [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2023-01-23 18:07:09 | BuiltIn | |
| Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn | |
| Key Vault | 9d4fad1f-5189-4a42-b29e-cf7929c6b6df | Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Key Vault Contributor •Network Contributor |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2023-01-23 18:07:09 | BuiltIn |
| Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2023-01-13 18:06:06 | BuiltIn |
| Backup | 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 | [Preview]: Azure Recovery Services vaults should disable public network access | Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
| Web PubSub | 17f9d984-90c8-43dd-b7a6-76cb694815c1 | Configure Azure Web PubSub Service to disable local authentication | Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
| Service Bus | cbd11fd3-3002-4907-b6c8-579f0e700e13 | Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2023-01-13 18:06:06 | BuiltIn |
| Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
| Machine Learning | ee40564d-486e-4f68-a5ca-7a621edae0fb | Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2023-01-13 18:06:06 | BuiltIn |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2023-01-13 18:06:06 | BuiltIn | |
| Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
| Web PubSub | b66ab71c-582d-4330-adfd-ac162e78691e | Azure Web PubSub Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL DB Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2023-01-13 18:06:06 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-13 18:06:06 | BuiltIn |
| Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
| Machine Learning | f110a506-2dcb-422e-bcea-d533fc8c35e2 | Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | Fixed [parameters('effects')] |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
| Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
| Event Hub | 0602787f-9896-402a-a6e1-39ee63ee435e | Event Hub Namespaces should disable public network access | Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2023-01-13 18:06:06 | BuiltIn | |
| Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.0.0 > 9.1.0) | 2023-01-13 18:06:06 | BuiltIn |
| Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2023-01-13 18:06:06 | BuiltIn | |
| General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2023-01-13 18:06:06 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (4.0.0 > 4.1.0) | 2023-01-13 18:06:06 | BuiltIn | |
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2023-01-04 18:03:56 | BuiltIn |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2023-01-04 18:03:56 | BuiltIn |
| SQL | Deploy-Sql-vulnerabilityAssessments | [Deprecated]: Deploy SQL Database vulnerability Assessments | Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Monitoring Contributor •SQL Security Manager •Storage Account Contributor |
change |
Patch (1.0.0 > 1.0.1) Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ |
2023-01-04 04:18:03 | ALZ |
| Security Center | Deploy-ASC-SecurityContacts | Deploy Microsoft Defender for Cloud Security Contacts | Deploy Microsoft Defender for Cloud Security Contacts | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor (1.0.0 > 1.1.0) | 2022-12-28 28:18:06 | ALZ |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5192 | [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-12-21 17:43:51 | BuiltIn | |
| App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-12-21 17:43:51 | BuiltIn | |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | e71c1e29-9c76-4532-8c4b-cb0573b0014c | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (2.1.1-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (2.0.1-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | a7acfae7-9497-4a3f-a3b5-a16a50abbe2f | [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | ef9fe2ce-a588-4edd-829c-6247069dcfdb | [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 8893442c-e7cb-4637-bab8-299a5d4ed96a | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | 1142b015-2bd7-41e0-8645-a531afe09a1e | [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-12-21 17:43:51 | BuiltIn |
| App Service | f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 | App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Guest Configuration | 5fe81c49-16b6-4870-9cee-45d13bf902ce | Local authentication methods should be disabled on Windows Servers | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d00 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
| ChangeTrackingAndInventory | 8fd85785-1547-4a4a-bf90-d5483c9571c5 | [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Machine Learning | f59276f0-5740-4aaf-821d-45d185aa210e | Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Guest Configuration | cd22fc48-f2c9-4b86-98d3-ec1268b46a8a | Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | bef2d677-e829-492d-9a3d-f5a20fda818f | [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-12-21 17:43:51 | BuiltIn | |
| ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| App Service | 5747353b-1ca9-42c1-a4dd-b874b894f3d4 | App Service app slots should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Guest Configuration | fad40cac-a972-4db0-b204-f1b15cced89a | Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-12-21 17:43:51 | BuiltIn |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Kubernetes | c5110b6e-5272-4989-9935-59ad06fdf341 | Azure Kubernetes Clusters should enable Container Storage Interface(CSI) | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| App Service | a691eacb-474d-47e4-b287-b4813ca44222 | App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | 4485d24b-a9d3-4206-b691-1fad83bc5007 | [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| ChangeTrackingAndInventory | b6faa975-0add-4f35-8d1c-70bba45c4424 | [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change |
Patch (2.0.0 > 2.0.1) | 2022-12-21 17:43:51 | BuiltIn | |
| App Service | 801543d1-1953-4a90-b8b0-8cf6d41473a5 | App Service apps should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-12-21 17:43:51 | BuiltIn |
| Machine Learning | afe0c3be-ba3b-4544-ba52-0c99672a8ad6 | Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-12-21 17:43:51 | BuiltIn | |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-12-21 17:43:51 | BuiltIn |
| Security Center | 221aac80-54d8-484b-83d7-24f4feac2ce0 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-12-21 17:43:51 | BuiltIn | |
| Monitoring | Deploy-Diagnostics-DataFactory | Deploy Diagnostic Settings for Data Factory to Log Analytics workspace | Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-12-16 16:17:44 | ALZ |
| SQL | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-12-09 17:45:23 | BuiltIn | |
| Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed deployIfNotExists |
count: 002 •Monitoring Contributor •Storage Account Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2022-12-09 17:45:23 | BuiltIn |
| Monitoring | Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace | Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-11-22 22:17:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-11-21 21:17:43 | ALZ |
| SQL | Deploy-Sql-SecurityAlertPolicies | Deploy SQL Database security Alert Policies configuration with email admin accounts | Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Minor (1.0.0 > 1.1.1) | 2022-11-17 17:17:42 | ALZ |
| SQL | Deploy-Sql-Tde | [Deprecated] Deploy SQL Database Transparent Data Encryption | Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Minor (1.0.0 > 1.1.0) Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn |
2022-11-17 17:17:42 | ALZ |
| Network | Deny-PublicIP | [Deprecated] Deny the creation of public IP | [Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters. | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Not allowed resource types (6c112d4e-5bc7-47ae-a041-ea2d9dccd749) BuiltIn |
2022-11-14 14:17:43 | ALZ | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-11-04 17:41:52 | BuiltIn |
| Security Center | 1f90fc71-a595-4066-8974-d4d0802e8ef0 | Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-11-04 17:41:52 | BuiltIn | |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-11-04 17:41:52 | BuiltIn |
| Security Center | 689f7782-ef2c-4270-a6d0-7664869076bd | Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2022-11-04 17:41:52 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-11-04 17:41:52 | BuiltIn |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-11-04 17:41:52 | BuiltIn | |
| Network | Deploy-DDoSProtection | Deploy an Azure DDoS Network Protection | Deploys an Azure DDoS Network Protection | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-11-03 03:17:41 | ALZ |
| Monitoring | Deploy-Nsg-FlowLogs | [Deprecated] Deploys NSG flow logs and traffic analytics | [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn |
2022-11-02 02:17:41 | ALZ |
| Monitoring | Deploy-Nsg-FlowLogs-to-LA | [Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics | [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 005 •Contributor •Log Analytics Contributor •Network Contributor •Storage Account Contributor •Storage Account Key Operator Service Role |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn |
2022-11-02 02:17:41 | ALZ |
| Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-10-28 16:42:53 | BuiltIn | |
| Security Center | 938c4981-c2c9-4168-9cd6-972b8675f906 | Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-10-28 16:42:53 | BuiltIn |
| Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-28 16:42:53 | BuiltIn |
| Automation | dea83a72-443c-4292-83d5-54a2f98749c0 | Automation Account should have Managed Identity | Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
| Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-10-28 16:42:53 | BuiltIn | |
| Monitoring | Deploy-Diagnostics-CosmosDB | Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-AVDScalingPlans | Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace | Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-MediaService | Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-DataFactory | Deploy Diagnostic Settings for Data Factory to Log Analytics workspace | Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-SignalR | Deploy Diagnostic Settings for SignalR to Log Analytics workspace | Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-ExpressRoute | Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace | Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-VM | Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-AnalysisService | Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace | Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-ApplicationGateway | Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace | Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-ACI | Deploy Diagnostic Settings for Container Instances to Log Analytics workspace | Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-AA | Deploy Diagnostic Settings for Automation to Log Analytics workspace | Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-EventGridSub | Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace | Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-SQLElasticPools | Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace | Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-SQLMI | Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace | Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-HDInsight | Deploy Diagnostic Settings for HDInsight to Log Analytics workspace | Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Bastion | Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace | Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Website | Deploy Diagnostic Settings for App Service to Log Analytics workspace | Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-TrafficManager | Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace | Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-RedisCache | Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace | Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-NetworkSecurityGroups | Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Firewall | Deploy Diagnostic Settings for Firewall to Log Analytics workspace | Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-EventGridTopic | Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-VirtualNetwork | Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace | Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-VMSS | Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-CDNEndpoints | Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace | Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-APIMgmt | Deploy Diagnostic Settings for API Management to Log Analytics workspace | Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-PostgreSQL | Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-LoadBalancer | Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace | Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Function | Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace | Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-WebServerFarm | Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace | Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-ACR | Deploy Diagnostic Settings for Container Registry to Log Analytics workspace | Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDWorkspace | Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace | Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.1) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-NIC | Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace | Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-PowerBIEmbedded | Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace | Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-LogicAppsISE | Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-MlWorkspace | Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace | Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDHostPools | Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-ApiForFHIR | Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace | Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-MySQL | Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace | Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-FrontDoor | Deploy Diagnostic Settings for Front Door to Log Analytics workspace | Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Relay | Deploy Diagnostic Settings for Relay to Log Analytics workspace | Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-iotHub | Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace | Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-EventGridSystemTopic | Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-CognitiveServices | Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace | Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-VNetGW | Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-TimeSeriesInsights | Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace | Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-MariaDB | [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace | Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-DataExplorerCluster | Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace | Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-Databricks | Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDAppGroup | Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace | Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.1) | 2022-10-25 25:16:43 | ALZ |
| Monitoring | Deploy-Diagnostics-DLAnalytics | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-25 25:16:43 | ALZ |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 46238e2f-3f6f-4589-9f3f-77bed4116e67 | Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 41425d9f-d1a5-499a-9932-f8ed8453932c | Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.0.0 > 8.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (2.2.0 > 2.3.0) | 2022-10-21 16:42:13 | BuiltIn |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | 8a04f872-51e9-4313-97fb-fc1c3543011c | Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.0.0 > 8.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | 8a04f872-51e9-4313-97fb-fc1c35430fd8 | Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.0.0 > 8.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (9.0.0 > 9.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | a3e98638-51d4-4e28-910a-60e98c1a756f | Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | 62fa14f0-4cbe-762d-5469-0899a99b98aa | Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) | 2022-10-21 16:42:13 | BuiltIn | |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | da6e2401-19da-4532-9141-fb8fbde08431 | Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Regulatory Compliance | f33c3238-11d2-508c-877c-4262ec1132e1 | Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (3.0.0 > 3.1.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (9.0.0 > 9.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (8.0.0 > 8.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 89f2d532-c53c-4f8f-9afa-4927b1114a0d | Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration | AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (9.0.0 > 9.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix changed: new suffix: deprecated; old suffix: version (4.1.0-version-deprecated > 4.1.1-deprecated) | 2022-10-21 16:42:13 | BuiltIn |
| Regulatory Compliance | e3905a3c-97e7-0b4f-15fb-465c0927536f | Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Default Manual Allowed Manual, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-10-21 16:42:13 | BuiltIn |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-10-21 16:42:13 | BuiltIn | |
| App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-10-14 16:34:37 | BuiltIn | |
| Guest Configuration | 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 | [Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-14 16:34:37 | BuiltIn | |
| App Service | 4dcfb8b5-05cd-4090-a931-2ec29057e1fc | App Service app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba | App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Azure Connected Machine Resource Administrator •Kubernetes Cluster - Azure Arc Onboarding •Network Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | fa98f1b1-1f56-4179-9faf-93ad82f3458f | Function app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-07 16:34:28 | BuiltIn |
| Azure Arc | 12e7176a-4919-47ef-922b-34eda4c7f0ce | Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| Kubernetes | dbbdc317-9734-4dd8-9074-993b29c69008 | Azure Kubernetes Clusters should enable Key Management Service (KMS) | Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 0f98368e-36bc-4716-8ac2-8f8067203b63 | Configure App Service apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | cd794351-e536-40f4-9750-503a463d8cad | Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | deb528de-8f89-4101-881c-595899253102 | Function app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | a08ae1ab-8d1d-422b-a123-df82b307ba61 | App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | ae1b9a8c-dfce-4605-bd91-69213b4a26fc | App Service app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-10-07 16:34:28 | BuiltIn | |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) | 2022-10-07 16:34:28 | BuiltIn |
| Synapse | cb3738a6-82a2-4a18-b87b-15217b9deff4 | Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-10-07 16:34:28 | BuiltIn | |
| Synapse | 8b5c654c-fb07-471b-aa8f-15fea733f140 | Configure Azure Synapse Workspace Dedicated SQL minimum TLS version | Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-10-07 16:34:28 | BuiltIn |
| Azure Arc | 4002015b-1272-4dfb-8943-fed4aeec39b6 | Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Kubernetes Cluster - Azure Arc Onboarding |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 2374605e-3e0b-492b-9046-229af202562c | Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 701a595d-38fb-4a66-ae6d-fb3735217622 | App Service app slots should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Major (2.1.0 > 3.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 | [Deprecated]: App Services should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 08cf2974-d178-48a0-b26d-f6b8e555748b | Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 70adbb40-e092-42d5-a6f8-71c540a5efdb | Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (4.0.0 > 5.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-10-07 16:34:28 | BuiltIn |
| Synapse | c3624673-d2ff-48e0-b28c-5de1c6767c3c | Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation | Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 | Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 969ac98b-88a8-449f-883c-2e9adb123127 | Function apps should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | c6c3e00e-d414-4ca4-914f-406699bb8eee | Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | a096cbd0-4693-432f-9374-682f485f23f3 | Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | cca5adfe-626b-4cc6-8522-f5b6ed2391bd | Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (3.0.0 > 4.0.0) | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | d639b3af-a535-4bef-8dcf-15078cddf5e2 | App Service app slots should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 4a15c15f-90d5-4a1f-8b63-2903944963fd | App Service app slots should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 89691ef9-8c50-49a8-8950-9c7fba41699e | Function app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| Health Data Services workspace | 64528841-2f92-43f6-a137-d52e5c3dbeac | Azure Health Data Services workspace should use private link | Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 242222f3-4985-4e99-b5ef-086d6a6cb01c | Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Operator •Network Contributor •Website Contributor |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn |
| App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Minor (1.0.0 > 1.2.0) | 2022-10-07 16:34:28 | BuiltIn |
| App Service | 81dff7c0-4020-4b58-955d-c076a2136b56 | [Deprecated]: Configure App Services to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-10-07 16:34:28 | BuiltIn |
| Synapse | 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 | Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation | Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 | Function app slots should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | 4ee5b817-627a-435a-8932-116193268172 | App Service app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-10-07 16:34:28 | BuiltIn | |
| App Service | a18c77f2-3d6d-497a-9f61-849a7e8a3b79 | Configure App Service app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-10-07 16:34:28 | BuiltIn |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change |
Major (1.1.0 > 2.0.0) | 2022-10-05 16:36:28 | BuiltIn | |
| Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn | |
| Security Center | 62b52eae-c795-44e3-94e8-1b3d264766fb | [Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets | Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn | |
| Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn | |
| Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn |
| Synapse | cfaf0007-99c7-4b01-b36b-4048872ac978 | Azure Synapse Analytics dedicated SQL pools should enable encryption | Enable transparent data encryption for Azure Synapse Analytics dedicated SQL pools to protect data-at-rest and meet compliance requirements. Please note that enabling transparent data encryption for the pool may impact query performance. More details can refer to https://go.microsoft.com/fwlink/?linkid=2147714 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-30 16:34:23 | BuiltIn | |
| Security Center | 6654c8c4-e6f8-43f8-8869-54327af7ce32 | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent | Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn |
| Security Center | e8794316-d918-4565-b57d-6b38a06381a0 | [Preview]: Azure Security agent should be installed on your Linux virtual machines | Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-09-30 16:34:23 | BuiltIn |
| Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-30 16:34:23 | BuiltIn | |
| Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-30 16:34:23 | BuiltIn | |
| Regulatory Compliance | 84245967-7882-54f6-2d34-85059f725b47 | Establish an information security program | CMA_0263 - Establish an information security program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ef5a7059-6651-73b1-18b3-75b1b79c1565 | Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f6da5cca-5795-60ff-49e1-4972567815fe | Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bd4dc286-2f30-5b95-777c-681f3a7913d3 | Establish and document change control processes | CMA_0265 - Establish and document change control processes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 59f7feff-02aa-6539-2cf7-bea75b762140 | Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f9ec3263-9562-1768-65a1-729793635a8d | Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0f31d98d-5ce2-705b-4aa5-b4f6705110dd | Prepare alternate processing site for use as operational site | CMA_C1278 - Prepare alternate processing site for use as operational site | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3054c74b-9b45-2581-56cf-053a1a716c39 | Accept assessment results | CMA_C1150 - Accept assessment results | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8d140e8b-76c7-77de-1d46-ed1b2e112444 | Restrict access to private keys | CMA_0445 - Restrict access to private keys | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d | Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8b333332-6efd-7c0d-5a9f-d1eb95105214 | Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f | Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2b05dca2-25ec-9335-495c-29155f785082 | Provide security training before providing access | CMA_0418 - Provide security training before providing access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f49925aa-9b11-76ae-10e2-6e973cc60f37 | Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5fc24b95-53f7-0ed1-2330-701b539b97fe | Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9c954fcf-6dd8-81f1-41b5-832ae5c62caf | Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 611ebc63-8600-50b6-a0e3-fef272457132 | Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cb8841d4-9d13-7292-1d06-ba4d68384681 | Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 06af77de-02ca-0f3e-838a-a9420fe466f5 | Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 34aac8b2-488a-2b96-7280-5b9b481a317a | Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ff136354-1c92-76dc-2dab-80fb7c6a9f1a | Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 | Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Monitoring | bd58d393-162c-4134-bcd6-a6a5484a37a1 | The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6228396e-2ace-7ca5-3247-45767dbf52f4 | Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ca748dfe-3e28-1d18-4221-89aea30aa0a5 | Identify status of individual users | CMA_C1316 - Identify status of individual users | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 214ea241-010d-8926-44cc-b90a96d52adc | Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 62fa14f0-4cbe-762d-5469-0899a99b98aa | Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9622aaa9-5c49-40e2-5bf8-660b7cd23deb | Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4502e506-5f35-0df4-684f-b326e3cc7093 | Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 | Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7fc1f0da-0050-19bb-3d75-81ae15940df6 | Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1fb1cb0e-1936-6f32-42fd-89970b535855 | Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6de65dc4-8b4f-34b7-9290-eb137a2e2929 | Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 12af7c7a-92af-9e96-0d0c-5e732d1a3751 | Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 085467a6-9679-5c65-584a-f55acefd0d43 | Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 464a7d7a-2358-4869-0b49-6d582ca21292 | Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | fad161f5-5261-401a-22dd-e037bae011bd | Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 | Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c6aeb800-0b19-944d-92dc-59b893722329 | Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6f1de470-79f3-1572-866e-db0771352fc8 | Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7d10debd-4775-85a7-1a41-7e128e0e8c50 | Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7c7032fe-9ce6-9092-5890-87a1a3755db1 | Retain terminated user data | CMA_0455 - Retain terminated user data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8aec4343-9153-9641-172c-defb201f56b3 | Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 | Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8019d788-713d-90a1-5570-dac5052f517d | Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d36700f2-2f0d-7c2a-059c-bdadd1d79f70 | Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 676c3c35-3c36-612c-9523-36d266a65000 | Require developers to provide training | CMA_C1611 - Require developers to provide training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 42116f15-5665-a52a-87bb-b40e64c74b6c | Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 | Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9b8b05ec-3d21-215e-5d98-0f7cf0998202 | Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | db580551-0b3c-4ea1-8a4c-4cdb5feb340f | Provide the logout capability | CMA_C1055 - Provide the logout capability | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a08b18c7-9e0a-89f1-3696-d80902196719 | Document access privileges | CMA_0186 - Document access privileges | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ba78efc6-795c-64f4-7a02-91effbd34af9 | Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d18af1ac-0086-4762-6dc8-87cdded90e39 | Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 92b49e92-570f-1765-804a-378e6c592e28 | Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2c6bee3a-2180-2430-440d-db3c7a849870 | Document security operations | CMA_0202 - Document security operations | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f7eb1d0b-6d4f-2d59-1591-7563e11a9313 | Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 68d2e478-3b19-23eb-1357-31b296547457 | Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 75b9db50-7906-2351-98ae-0458218609e5 | Retain accounting of disclosures of information | CMA_C1819 - Retain accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a830fe9e-08c9-a4fb-420c-6f6bf1702395 | Review account provisioning logs | CMA_0460 - Review account provisioning logs | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 873895e8-0e3a-6492-42e9-22cd030e9fcd | Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8b077bff-516f-3983-6c42-c86e9a11868b | Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6610f662-37e9-2f71-65be-502bdc2f554d | Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1afada58-8b34-7ac2-a38a-983218635201 | Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 32f22cfa-770b-057c-965b-450898425519 | Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | de770ba6-50dd-a316-2932-e0d972eaa734 | Require approval for account creation | CMA_0431 - Require approval for account creation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 | Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6b957f60-54cd-5752-44d5-ff5a64366c93 | Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 27ce30dd-3d56-8b54-6144-e26d9a37a541 | Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 60442979-6333-85f0-84c5-b887bac67448 | Evaluate alternate processing site capabilities | CMA_C1266 - Evaluate alternate processing site capabilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0471c6b7-1588-701c-2713-1fade73b75f6 | Display an explicit logout message | CMA_C1056 - Display an explicit logout message | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 | Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5020f3f4-a579-2f28-72a8-283c5a0b15f9 | Restrict communications | CMA_0449 - Restrict communications | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 | Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5269d7e4-3768-501d-7e46-66c56c15622c | Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 | Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c79d378a-2521-822a-0407-57454f8d2c74 | Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | be38a620-000b-21cf-3cb3-ea151b704c3b | Remediate information system flaws | CMA_0427 - Remediate information system flaws | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | af5ff768-a34b-720e-1224-e6b3214f3ba6 | Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 39999038-9ef1-602a-158c-ce2367185230 | Define performance metrics | CMA_0124 - Define performance metrics | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d25cbded-121e-0ed6-1857-dc698c9095b1 | Take action in response to customer information | CMA_C1554 - Take action in response to customer information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc | Perform a risk assessment | CMA_0388 - Perform a risk assessment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5d3abfea-a130-1208-29c0-e57de80aa6b0 | Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ffea18d9-13de-6505-37f3-4c1f88070ad7 | Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 | Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 979ed3b6-83f9-26bc-4b86-5b05464700bf | Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0040d2e5-2779-170d-6a2c-1f5fca353335 | Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 | Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 | Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7a114735-a420-057d-a651-9a73cd0416ef | Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 57adc919-9dca-817c-8197-64d812070316 | Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 52375c01-4d4c-7acc-3aa4-5b3d53a047ec | Define the duties of processors | CMA_0127 - Define the duties of processors | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7d7a8356-5c34-9a95-3118-1424cfaf192a | Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn |
| Regulatory Compliance | 16c54e01-9e65-7524-7c33-beda48a75779 | Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3ad7f0bc-3d03-0585-4d24-529779bb02c2 | Maintain availability of information | CMA_C1644 - Maintain availability of information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e23444b9-9662-40f3-289e-6d25c02b48fa | Review label activity and analytics | CMA_0474 - Review label activity and analytics | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bd6cbcba-4a2d-507c-53e3-296b5c238a8e | Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 245fe58b-96f8-9f1e-48c5-7f49903f66fd | Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6625638f-3ba1-7404-5983-0ea33d719d34 | Review audit data | CMA_0466 - Review audit data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 20012034-96f0-85c2-4a86-1ae1eb457802 | Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d200f199-69f4-95a6-90b0-37ff0cf1040c | Provide the capability to extend or limit auditing on customer-deployed resources | CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e8c31e15-642d-600f-78ab-bad47a5787e6 | Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c0559109-6a27-a217-6821-5a6d44f92897 | Maintain integrity of audit system | CMA_C1133 - Maintain integrity of audit system | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f30edfad-4e1d-1eef-27ee-9292d6d89842 | Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | be1c34ab-295a-07a6-785c-36f63c1d223e | Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2b2f3a72-9e68-3993-2b69-13dcdecf8958 | Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3545c827-26ee-282d-4629-23952a12008b | Conduct incident response testing | CMA_0060 - Conduct incident response testing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | fe2dff43-0a8c-95df-0432-cb1c794b17d0 | Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0f4fa857-079d-9d3d-5c49-21f616189e03 | Provide real-time alerts for audit event failures | CMA_C1114 - Provide real-time alerts for audit event failures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 55be3260-a7a2-3c06-7fe6-072d07525ab7 | Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e4e1f896-8a93-1151-43c7-0ad23b081ee2 | Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | de077e7e-0cc8-65a6-6e08-9ab46c827b05 | Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 678ca228-042d-6d8e-a598-c58d5670437d | Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e | Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f96d2186-79df-262d-3f76-f371e3b71798 | Review user privileges | CMA_C1039 - Review user privileges | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b5244f81-6cab-3188-2412-179162294996 | Review publicly accessible content for nonpublic information | CMA_C1086 - Review publicly accessible content for nonpublic information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 | Update antivirus definitions | CMA_0517 - Update antivirus definitions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cf79f602-1e60-5423-6c0c-e632c2ea1fc0 | Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d9edcea6-6cb8-0266-a48c-2061fbac4310 | Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 34738025-5925-51f9-1081-f2d0060133ed | Information security and personal data protection | CMA_0332 - Information security and personal data protection | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 37546841-8ea1-5be0-214d-8ac599588332 | Maintain incident response plan | CMA_0352 - Maintain incident response plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a28323fe-276d-3787-32d2-cef6395764c4 | Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8dad106-6444-5f55-307e-1e1cc9723e39 | Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f27a298f-9443-014a-0d40-fef12adf0259 | Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 836f8406-3b8a-11bb-12cb-6c7fa0765668 | Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e89436d8-6a93-3b62-4444-1d2a42ad56b2 | Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d6653f89-7cb5-24a4-9d71-51581038231b | Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d93fe1be-13e4-421d-9c21-3158e2fa2667 | Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a1334a65-2622-28ee-5067-9d7f5b915cc5 | Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5023a9e7-8e64-2db6-31dc-7bce27f796af | Provide privacy notice to the public and to individuals | CMA_C1861 - Provide privacy notice to the public and to individuals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 85335602-93f5-7730-830b-d43426fd51fa | Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4c6df5ff-4ef2-4f17-a516-0da9189c603b | Assign account managers | CMA_0015 - Assign account managers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | df54d34f-65f3-39f1-103c-a0464b8615df | Manage transfers between standby and active system components | CMA_0371 - Manage transfers between standby and active system components | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 318b2bd9-9c39-9f8b-46a7-048401f33476 | Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 509552f5-6528-3540-7959-fbeae4832533 | Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5226dee6-3420-711b-4709-8e675ebd828f | Update information security policies | CMA_0518 - Update information security policies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f78fc35e-1268-0bca-a798-afcba9d2330a | Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0065241c-72e9-3b2c-556f-75de66332a94 | Establish parameters for searching secret authenticators and verifiers | CMA_0274 - Establish parameters for searching secret authenticators and verifiers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1ee4c7eb-480a-0007-77ff-4ba370776266 | Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c423e64d-995c-9f67-0403-b540f65ba42a | Assess Security Controls | CMA_C1145 - Assess Security Controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 | Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 423f6d9c-0c73-9cc6-64f4-b52242490368 | Develop security safeguards | CMA_0161 - Develop security safeguards | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 04837a26-2601-1982-3da7-bf463e6408f4 | Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 | Provide information spillage training | CMA_0413 - Provide information spillage training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | aa892c0d-2c40-200c-0dd8-eac8c4748ede | Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 | Undergo independent security review | CMA_0515 - Undergo independent security review | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 | Notify when account is not needed | CMA_0383 - Notify when account is not needed | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 | Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | fd81a1b3-2d7a-107c-507e-29b87d040c19 | Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 834b7a4a-83ab-2188-1a26-9c5033d8173b | Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4aacaec9-0628-272c-3e83-0d68446694e0 | Manage Authenticators | CMA_C1321 - Manage Authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 098dcde7-016a-06c3-0985-0daaf3301d3a | Distribute authenticators | CMA_0184 - Distribute authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ebb0ba89-6d8c-84a7-252b-7393881e43de | Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ba02d0a0-566a-25dc-73f1-101c726a19c5 | Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 14a4fd0a-9100-1e12-1362-792014a28155 | Update contingency plan | CMA_C1248 - Update contingency plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b9d45adb-471b-56a5-64d2-5b241f126174 | Automate privacy controls | CMA_C1817 - Automate privacy controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 13efd2d7-3980-a2a4-39d0-527180c009e8 | Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b470a37a-7a47-3792-34dd-7a793140702e | Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a4493012-908c-5f48-a468-1e243be884ce | Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 34d38ea7-6754-1838-7031-d7fd07099821 | Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 | Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1bc7fd64-291f-028e-4ed6-6e07886e163f | Employ least privilege access | CMA_0212 - Employ least privilege access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eab4450d-9e5c-4f38-0656-2ff8c78c83f3 | Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a90c4d44-7fac-8e02-6d5b-0d92046b20e6 | Automate flaw remediation | CMA_0027 - Automate flaw remediation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 291f20d4-8d93-1d73-89f3-6ce28b825563 | Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f8a63511-66f1-503f-196d-d6217ee0823a | Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 524e7136-9f6a-75ba-9089-501018151346 | Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 41172402-8d73-64c7-0921-909083c086b0 | Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 33602e78-35e3-4f06-17fb-13dd887448e4 | Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4b8fd5da-609b-33bf-9724-1c946285a14c | Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 | Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2067b904-9552-3259-0cdd-84468e284b7c | Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 056a723b-4946-9d2a-5243-3aa27c4d31a1 | Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8eea8c14-4d93-63a3-0c82-000343ee5204 | Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8e920169-739d-40b5-3f99-c4d855327bb2 | Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 171e377b-5224-4a97-1eaa-62a3b5231dac | Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 477bd136-7dd9-55f8-48ac-bae096b86a07 | Develop POA&M | CMA_C1156 - Develop POA&M | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 | Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 57927290-8000-59bf-3776-90c468ac5b4b | Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6ab47bbf-867e-9113-7998-89b58f77326a | Respond to complaints, concerns, or questions timely | CMA_C1853 - Respond to complaints, concerns, or questions timely | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e | Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d4f70530-19a2-2a85-6e0c-0c3c465e3325 | Make accounting of disclosures available upon request | CMA_C1820 - Make accounting of disclosures available upon request | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 33832848-42ab-63f3-1a55-c0ad309d44cd | Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d041726f-00e0-41ca-368c-b1a122066482 | Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 84a01872-5318-049e-061e-d56734183e84 | Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ee67c031-57fc-53d0-0cca-96c4c04345e8 | Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 08ad71d0-52be-6503-4908-e015460a16ae | Require use of individual authenticators | CMA_C1305 - Require use of individual authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 79f081c7-1634-01a1-708e-376197999289 | Review user accounts | CMA_0480 - Review user accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 33d34fac-56a8-1c0f-0636-3ed94892a709 | Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c2eabc28-1e5c-78a2-a712-7cc176c44c07 | Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d02498e0-8a6f-6b02-8332-19adf6711d1e | Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 | Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba | Review file and folder activity | CMA_0473 - Review file and folder activity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8f835d6a-4d13-9a9c-37dc-176cebd37fda | Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b53aa659-513e-032c-52e6-1ce0ba46582f | Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a8f9c283-9a66-3eb3-9e10-bdba95b85884 | Run simulation attacks | CMA_0486 - Run simulation attacks | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4f23967c-a74b-9a09-9dc2-f566f61a87b9 | Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9150259b-617b-596d-3bf5-5ca3fce20335 | Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 77cc89bb-774f-48d7-8a84-fb8c322c3000 | Track software license usage | CMA_C1235 - Track software license usage | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | af227964-5b8b-22a2-9364-06d2cb9d6d7c | Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d8bbd80e-3bb1-5983-06c2-428526ec6a63 | Establish a password policy | CMA_0256 - Establish a password policy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 20762f1e-85fb-31b0-a600-e833633f10fe | Reveal error messages | CMA_C1725 - Reveal error messages | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 037c0089-6606-2dab-49ad-437005b5035f | Identify incident response personnel | CMA_0301 - Identify incident response personnel | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 13ef3484-3a51-785a-9c96-500f21f84edd | Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7d70383a-32f4-a0c2-61cf-a134851968c2 | Determine legal authority to collect PII | CMA_C1800 - Determine legal authority to collect PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3a868d0c-538f-968b-0191-bddb44da5b75 | Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 069101ac-4578-31da-0cd4-ff083edd3eb4 | Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 69d90ee6-9f9f-262a-2038-d909fb4e5723 | Identify spilled information | CMA_0303 - Identify spilled information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 096a7055-30cb-2db4-3fda-41b20ac72667 | Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1beb1269-62ee-32cd-21ad-43d6c9750eb6 | Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 53fc1282-0ee3-2764-1319-e20143bb0ea5 | Review contingency plan | CMA_C1247 - Review contingency plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 | Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dad8a2e9-6f27-4fc2-8933-7e99fe700c9c | Authorize remote access | CMA_0024 - Authorize remote access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 58a51cde-008b-1a5d-61b5-d95849770677 | Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dad1887d-161b-7b61-2e4d-5124a7b5724e | Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d661e9eb-4e15-5ba1-6f02-cdc467db0d6c | Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 79c75b38-334b-1a69-65e0-a9d929a42f75 | Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 058e9719-1ff9-3653-4230-23f76b6492e0 | Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 82bd024a-5c99-05d6-96ff-01f539676a1a | Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 | Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4012c2b7-4e0e-a7ab-1688-4aab43f14420 | Map authenticated identities to individuals | CMA_0372 - Map authenticated identities to individuals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 29acfac0-4bb4-121b-8283-8943198b1549 | Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7805a343-275c-41be-9d62-7215b96212d8 | Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | db8b35d6-8adb-3f51-44ff-c648ab5b1530 | Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b2ea1058-8998-3dd1-84f1-82132ad482fd | Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 098a7b84-1031-66d8-4e78-bd15b5fd2efb | Provide privacy notice | CMA_0414 - Provide privacy notice | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 70057208-70cc-7b31-3c3a-121af6bc1966 | Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b2d3e5a2-97ab-5497-565a-71172a729d93 | Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 1cb4d9c2-f88f-4069-bee0-dba239a57b09 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 203101f5-99a3-1491-1b56-acccd9b66a9e | Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 01ae60e2-38bb-0a32-7b20-d3a091423409 | Implement system boundary protection | CMA_0328 - Implement system boundary protection | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 92a7591f-73b3-1173-a09c-a08882d84c70 | Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 043c1e56-5a16-52f8-6af8-583098ff3e60 | Create a data inventory | CMA_0096 - Create a data inventory | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ff1efad2-6b09-54cc-01bf-d386c4d558a8 | Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1e0d5ba8-a433-01aa-829c-86b06c9631ec | Include dynamic reconfig of customer deployed resources | CMA_C1364 - Include dynamic reconfig of customer deployed resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5c33538e-02f8-0a7f-998b-a4c1e22076d3 | Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8e49107c-3338-40d1-02aa-d524178a2afe | Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b3c8cc83-20d3-3890-8bc8-5568777670f4 | Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4e45863d-9ea9-32b4-a204-2680bc6007a6 | Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1a2a03a4-9992-5788-5953-d8f6615306de | Govern policies and procedures | CMA_0292 - Govern policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e1379836-3492-6395-451d-2f5062e14136 | Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d7c1ecc3-2980-a079-1569-91aec8ac4a77 | Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 526ed90e-890f-69e7-0386-ba5c0f1f784f | Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 623b5f0a-8cbd-03a6-4892-201d27302f0c | Define information system account types | CMA_0121 - Define information system account types | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a930f477-9dcb-2113-8aa7-45bb6fc90861 | Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8587fce-138f-86e8-33a3-c60768bf1da6 | Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4a6f5cbd-6c6b-006f-2bb1-091af1441bce | Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e714b481-8fac-64a2-14a9-6f079b2501a4 | Use privileged identity management | CMA_0533 - Use privileged identity management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2e7a98c9-219f-0d58-38dc-d69038224442 | Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4ce91e4e-6dab-3c46-011a-aa14ae1561bf | Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bf883b14-9c19-0f37-8825-5e39a8b66d5b | Perform threat modeling | CMA_0392 - Perform threat modeling | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7ad83b58-2042-085d-08f0-13e946f26f89 | Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | de251b09-4a5e-1204-4bef-62ac58d47999 | Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 28aa060e-25c7-6121-05d8-a846f11433df | Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 13939f8c-4cd5-a6db-9af4-9dfec35e3722 | Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 68a39c2b-0f17-69ee-37a3-aa10f9853a08 | Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e4b00788-7e1c-33ec-0418-d048508e095b | Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 08c11b48-8745-034d-1c1b-a144feec73b9 | Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2b4e134f-1e4c-2bff-573e-082d85479b6e | Develop an incident response plan | CMA_0145 - Develop an incident response plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1ff03f2a-974b-3272-34f2-f6cd51420b30 | Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e750ca06-1824-464a-2cf3-d0fa754d1cb4 | Establish a secure software development program | CMA_0259 - Establish a secure software development program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d8350d4c-9314-400b-288f-20ddfce04fbd | Define and enforce the limit of concurrent sessions | CMA_C1050 - Define and enforce the limit of concurrent sessions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f | Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | afbecd30-37ee-a27b-8e09-6ac49951a0ee | Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eda0cbb7-6043-05bf-645b-67411f1a59b3 | Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f26af0b1-65b6-689a-a03f-352ad2d00f98 | Audit privileged functions | CMA_0019 - Audit privileged functions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7380631c-5bf5-0e3a-4509-0873becd8a63 | Establish a configuration control board | CMA_0254 - Establish a configuration control board | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3c93dba1-84fd-57de-33c7-ef0400a08134 | Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9e3c505e-7aeb-2096-3417-b132242731fc | Review content prior to posting publicly accessible information | CMA_C1085 - Review content prior to posting publicly accessible information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 015b4935-448a-8684-27c0-d13086356c33 | Implement a threat awareness program | CMA_C1758 - Implement a threat awareness program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b33d61c1-7463-7025-0ec0-a47585b59147 | Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 22c16ae4-19d0-29cb-422f-cb44061180ee | Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f8d141b7-4e21-62a6-6608-c79336e36bc9 | Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 271a3e58-1b38-933d-74c9-a580006b80aa | Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 | Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 91a54089-2d69-0f56-62dc-b6371a1671c0 | Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 75b42dcf-7840-1271-260b-852273d7906e | Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f741c4e6-41eb-15a4-25a2-61ac7ca232f0 | Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3d399cf3-8fc6-0efc-6ab0-1412f1198517 | Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eb598832-4bcc-658d-4381-3ecbe17b9866 | Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eaaae23f-92c9-4460-51cf-913feaea4d52 | Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7bdb79ea-16b8-453e-4ca4-ad5b16012414 | Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 | Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f33c3238-11d2-508c-877c-4262ec1132e1 | Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2af4640d-11a6-a64b-5ceb-a468f4341c0c | Define and enforce inactivity log policy | CMA_C1017 - Define and enforce inactivity log policy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6f311b49-9b0d-8c67-3d6e-db80ae528173 | Bind authenticators and identities dynamically | CMA_0035 - Bind authenticators and identities dynamically | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 | Define mobile device requirements | CMA_0122 - Define mobile device requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cdcb825f-a0fb-31f9-29c1-ab566718499a | Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dbcef108-7a04-38f5-8609-99da110a2a57 | Determine information protection needs | CMA_C1750 - Determine information protection needs | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8747b573-8294-86a0-8914-49e9b06a5ace | Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 964b340a-43a4-4798-2af5-7aedf6cb001b | Collect PII directly from the individual | CMA_C1822 - Collect PII directly from the individual | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e54901fe-42c2-7f3b-3c5f-327aa5320a69 | Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ab02bb73-4ce1-89dd-3905-d93042809ba0 | Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 92b94485-1c49-3350-9ada-dffe94f08e87 | Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 | Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8a9bb2f-7290-3259-85ce-dca7d521302d | Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 | Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 725164e5-3b21-1ec2-7e42-14f077862841 | Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Cosmos DB | 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 | Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. | Regenerate your keys in the specified time to keep your data more protected. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4ee5975d-2507-5530-a20a-83a725889c6f | Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0803eaa7-671c-08a7-52fd-ac419f775e75 | Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 | Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1282809c-9001-176b-4a81-260a085f4872 | Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 21633c09-804e-7fcd-78e3-635c6bfe2be7 | Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 178c8b7e-1b6e-4289-44dd-2f1526b678a1 | Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 55a7f9a0-6397-7589-05ef-5ed59a8149e7 | Control physical access | CMA_0081 - Control physical access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e6f7b584-877a-0d69-77d4-ab8b923a9650 | Document separation of duties | CMA_0204 - Document separation of duties | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 311802f9-098d-0659-245a-94c5d47c0182 | Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b65c5d8e-9043-9612-2c17-65f231d763bb | Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 | Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7a0ecd94-3699-5273-76a5-edb8499f655a | Determine assertion requirements | CMA_0136 - Determine assertion requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1fdf0b24-4043-3c55-357e-036985d50b52 | Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5b802722-71dd-a13d-2e7e-231e09589efb | Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 | Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 27ab3ac0-910d-724d-0afa-1a2a01e996c0 | Respond to rectification requests | CMA_0442 - Respond to rectification requests | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 585af6e9-90c0-4575-67a7-2f9548972e32 | Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d4e6a629-28eb-79a9-000b-88030e4823ca | Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b544f797-a73b-1be3-6d01-6b1a085376bc | Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6bededc0-2985-54d5-4158-eb8bad8070a0 | Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c981fa70-2e58-8141-1457-e7f62ebc2ade | Document organizational access agreements | CMA_0192 - Document organizational access agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8b1f29eb-1b22-4217-5337-9207cb55231e | Perform information input validation | CMA_C1723 - Perform information input validation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c3b3cc61-9c70-5d78-7f12-1aefcc477db7 | Review security testing, training, and monitoring plans | CMA_C1754 - Review security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c7e8ddc1-14aa-1814-7fe1-aad1742b27da | Enforce expiration of cached authenticators | CMA_C1343 - Enforce expiration of cached authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3d492600-27ba-62cc-a1c3-66eb919f6a0d | Document remote access guidelines | CMA_0196 - Document remote access guidelines | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 18e7906d-4197-20fa-2f14-aaac21864e71 | Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e4054c0e-1184-09e6-4c5e-701e0bc90f81 | Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bfc540fe-376c-2eef-4355-121312fa4437 | Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cc057769-01d9-95ad-a36f-1e62a7f9540b | Update POA&M items | CMA_C1157 - Update POA&M items | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0e696f5a-451f-5c15-5532-044136538491 | Protect audit information | CMA_0401 - Protect audit information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0a412110-3874-9f22-187a-c7a81c8a6704 | Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ad1d562b-a04b-15d3-6770-ed310b601cb5 | Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3baee3fd-30f5-882c-018c-cc78703a0106 | Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3c9aa856-6b86-35dc-83f4-bc72cec74dea | Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b0e3035d-6366-2e37-796e-8bcab9c649e6 | Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 426c172c-9914-10d1-25dd-669641fc1af4 | Enable detection of network devices | CMA_0220 - Enable detection of network devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bbb2e6d6-085f-5a35-a55d-e45daad38933 | Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 04b3e7f6-4841-888d-4799-cda19a0084f6 | Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 90a156a6-49ed-18d1-1052-69aac27c05cd | Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 | Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 35963d41-4263-0ef9-98d5-70eb058f9e3c | Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 341bc9f1-7489-07d9-4ec6-971573e1546a | Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b4e19d22-8c0e-7cad-3219-c84c62dc250f | Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 333b4ada-4a02-0648-3d4d-d812974f1bb2 | Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f29b17a4-0df2-8a50-058a-8570f9979d28 | Assign system identifiers | CMA_0018 - Assign system identifiers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 01c387ea-383d-4ca9-295a-977fab516b03 | Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f2222056-062d-1060-6dc2-0107a68c34b2 | Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dd2523d5-2db3-642b-a1cf-83ac973b32c2 | Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb | Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 | Keep SORNs updated | CMA_C1863 - Keep SORNs updated | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b262e1dd-08e9-41d4-963a-258909ad794b | Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6122970b-8d4a-7811-0278-4c6c68f61e4f | Restrict media use | CMA_0450 - Restrict media use | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ced727b3-005e-3c5b-5cd5-230b79d56ee8 | Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 77acc53d-0f67-6e06-7d04-5750653d4629 | Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e9c60c37-65b0-2d72-6c3c-af66036203ae | Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 | Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 575ed5e8-4c29-99d0-0e4d-689fb1d29827 | Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c7d57a6a-7cc2-66c0-299f-83bf90558f5d | Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 95eb7d09-9937-5df9-11d9-20317e3f60df | Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | aa305b4d-8c84-1754-0c74-dec004e66be0 | Develop contingency plan | CMA_C1244 - Develop contingency plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8a703eb5-4e53-701b-67e4-05ba2f7930c8 | Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5f2e834d-7e40-a4d5-a216-e49b16955ccf | Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a3e98638-51d4-4e28-910a-60e98c1a756f | Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 11ba0508-58a8-44de-5f3a-9e05d80571da | Develop business classification schemes | CMA_0155 - Develop business classification schemes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6f3866e8-6e12-69cf-788c-809d426094a1 | Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 729c8708-2bec-093c-8427-2e87d2cd426d | Automate notification of employee termination | CMA_C1521 - Automate notification of employee termination | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | aa0ddd99-43eb-302d-3f8f-42b499182960 | Install an alarm system | CMA_0338 - Install an alarm system | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 677e1da4-00c3-287a-563d-f4a1cf9b99a0 | Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 10874318-0bf7-a41f-8463-03e395482080 | Correlate audit records | CMA_0087 - Correlate audit records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c246d146-82b0-301f-32e7-1065dcd248b7 | Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 54a9c072-4a93-2a03-6a43-a060d30383d7 | Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 26d178a4-9261-6f04-a100-47ed85314c6e | Implement security directives | CMA_C1706 - Implement security directives | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ced291b8-1d3d-7e27-40cf-829e9dd523c8 | Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 26daf649-22d1-97e9-2a8a-01b182194d59 | Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e7422f08-65b4-50e4-3779-d793156e0079 | Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6abdf7c7-362b-3f35-099e-533ed50988f9 | Assign information security representative to change control | CMA_C1198 - Assign information security representative to change control | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d78f95ba-870a-a500-6104-8a5ce2534f19 | Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a8df9c78-4044-98be-2c05-31a315ac8957 | Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 22457e81-3ec6-5271-a786-c3ca284601dd | Isolate information spills | CMA_0346 - Isolate information spills | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 39eb03c1-97cc-11ab-0960-6209ed2869f7 | Establish a privacy program | CMA_0257 - Establish a privacy program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b5a4be05-3997-1731-3260-98be653610f6 | Perform disposition review | CMA_0391 - Perform disposition review | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Monitoring | 383c45fa-8b64-4d1c-aa9f-e69d2d879aa4 | The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | fc26e2fd-3149-74b4-5988-d64bb90f8ef7 | Separately store backup information | CMA_C1293 - Separately store backup information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | edcc36f1-511b-81e0-7125-abee29752fe7 | Manage availability and capacity | CMA_0356 - Manage availability and capacity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 055da733-55c6-9e10-8194-c40731057ec4 | Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | df2e9507-169b-4114-3a52-877561ee3198 | Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bb048641-6017-7272-7772-a008f285a520 | Develop spillage response procedures | CMA_0162 - Develop spillage response procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 97cfd944-6f0c-7db2-3796-8e890ef70819 | Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ffdaa742-0d6f-726f-3eac-6e6c34e36c93 | Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 09960521-759e-5d12-086f-4192a72a5e92 | Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0fd1ca29-677b-2f12-1879-639716459160 | Maintain data breach records | CMA_0351 - Maintain data breach records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 | Define cryptographic use | CMA_0120 - Define cryptographic use | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2d2ca910-7957-23ee-2945-33f401606efc | Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 03d550b4-34ee-03f4-515f-f2e2faf7a413 | Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f6794ab8-9a7d-3b24-76ab-265d3646232b | Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3eecf628-a1c8-1b48-1b5c-7ca781e97970 | Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5decc032-95bd-2163-9549-a41aba83228e | Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 | Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f48b60c6-4b37-332f-7288-b6ea50d300eb | Review controlled folder access events | CMA_0471 - Review controlled folder access events | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1d39b5d9-0392-8954-8359-575ce1957d1a | Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3af53f59-979f-24a8-540f-d7cdbc366607 | Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 86ecd378-a3a0-5d5b-207c-05e6aaca43fc | Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d48a6f19-a284-6fc6-0623-3367a74d3f50 | Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 98e33927-8d7f-6d5f-44f5-2469b40b7215 | Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 94c842e3-8098-38f9-6d3f-8872b790527d | Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 70a7a065-a060-85f8-7863-eb7850ed2af9 | Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b4409bff-2287-8407-05fd-c73175a68302 | Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 396f465d-375e-57de-58ba-021adb008191 | Invalidate session identifiers at logout | CMA_C1661 - Invalidate session identifiers at logout | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b | Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2cc9c165-46bd-9762-5739-d2aae5ba90a1 | Automate account management | CMA_0026 - Automate account management | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b7306e73-0494-83a2-31f5-280e934a8f70 | Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 36b74844-4a99-4c80-1800-b18a516d1585 | Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 00f12b6f-10d7-8117-9577-0f2b76488385 | Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d136ae80-54dd-321c-98b4-17acf4af2169 | Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn |
| Regulatory Compliance | 4ac81669-00e2-9790-8648-71bc11bc91eb | Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn |
| Regulatory Compliance | a30bd8e9-7064-312a-0e1f-e1b485d59f6e | Review exploit protection events | CMA_0472 - Review exploit protection events | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 | Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 898a5781-2254-5a37-34c7-d78ea7c20d55 | Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0123edae-3567-a05a-9b05-b53ebe9d3e7e | View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 | Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 93fa357f-2e38-22a9-5138-8cc5124e1923 | Categorize information | CMA_0052 - Categorize information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b28c8687-4bbd-8614-0b96-cdffa1ac6d9c | Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 433de59e-7a53-a766-02c2-f80f8421469a | Implement incident handling | CMA_0318 - Implement incident handling | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 27965e62-141f-8cca-426f-d09514ee5216 | Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e3905a3c-97e7-0b4f-15fb-465c0927536f | Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 98145a9b-428a-7e81-9d14-ebb154a24f93 | View and investigate restricted users | CMA_0545 - View and investigate restricted users | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn |
| Regulatory Compliance | 5c40f27b-6791-18c5-3f85-7b863bd99c11 | Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 44b71aa8-099d-8b97-1557-0e853ec38e0d | Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4781e5fd-76b8-7d34-6df3-a0a7fca47665 | Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 49c23d9b-02b0-0e42-4f94-e8cef1b8381b | Audit user account status | CMA_0020 - Audit user account status | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 | Generate error messages | CMA_C1724 - Generate error messages | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e7589f4e-1e8b-72c2-3692-1e14d7f3699f | Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 | Control information flow | CMA_0079 - Control information flow | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c8aa992d-76b7-7ca0-07b3-31a58d773fa9 | Employ automated training environment | CMA_C1357 - Employ automated training environment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab | Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8c255136-994b-9616-79f5-ae87810e0dcf | Enable network protection | CMA_0238 - Enable network protection | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e435f7e3-0dd9-58c9-451f-9b44b96c0232 | Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f476f3b0-4152-526e-a209-44e5f8c968d7 | Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3ae68d9a-5696-8c32-62d3-c6f9c52e437c | Refresh authenticators | CMA_0425 - Refresh authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d9af7f88-686a-5a8b-704b-eafdab278977 | Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5bac5fb7-7735-357b-767d-02264bfe5c3b | Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2927e340-60e4-43ad-6b5f-7a1468232cc2 | Configure detection whitelist | CMA_0068 - Configure detection whitelist | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 | Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c5784049-959f-6067-420c-f4cefae93076 | Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b6ad009f-5c24-1dc0-a25e-74b60e4da45f | Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3f1216b0-30ee-1ac9-3899-63eb744e85f5 | Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2f20840e-7925-221c-725d-757442753e7c | Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ba99d512-3baa-1c38-8b0b-ae16bbd34274 | Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b6b32f80-a133-7600-301e-398d688e7e0c | Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 67ada943-8539-083d-35d0-7af648974125 | Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e29a8f1b-149b-2fa3-969d-ebee1baa9472 | Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b4512986-80f5-1656-0c58-08866bd2673a | Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2f67e567-03db-9d1f-67dc-b6ffb91312f4 | Determine auditable events | CMA_0137 - Determine auditable events | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | efef28d0-3226-966a-a1e8-70e89c1b30bc | Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 83dfb2b8-678b-20a0-4c44-5c75ada023e6 | Document mobility training | CMA_0191 - Document mobility training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4c385143-09fd-3a34-790c-a5fd9ec77ddc | Provide role-based security training | CMA_C1094 - Provide role-based security training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 518eafdd-08e5-37a9-795b-15a8d798056d | Provide privacy training | CMA_0415 - Provide privacy training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6c0a312f-04c5-5c97-36a5-e56763a02b6b | Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ece8bb17-4080-5127-915f-dc7267ee8549 | Verify security functions | CMA_C1708 - Verify security functions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Security Center | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default Audit Allowed Audit, Disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 | Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3b30aa25-0f19-6c04-5ca4-bd3f880a763d | Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 72889284-15d2-90b2-4b39-a1e9541e1152 | Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4e400494-53a5-5147-6f4d-718b539c7394 | Manage compliance activities | CMA_0358 - Manage compliance activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a315c657-4a00-8eba-15ac-44692ad24423 | Protect special information | CMA_0409 - Protect special information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ca6d7878-3189-1833-4620-6c7254ed1607 | Obtain continuous monitoring plan for security controls | CMA_C1577 - Obtain continuous monitoring plan for security controls | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 48c816c5-2190-61fc-8806-25d6f3df162f | Monitor access across the organization | CMA_0376 - Monitor access across the organization | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3153d9c0-2584-14d3-362d-578b01358aeb | Retain training records | CMA_0456 - Retain training records | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | adf517f3-6dcd-3546-9928-34777d0c277e | Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 | Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c42f19c9-5d88-92da-0742-371a0ea03126 | Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dd6d00a8-701a-5935-a22b-c7b9c0c698b2 | Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2af551d5-1775-326a-0589-590bfb7e9eb2 | Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | aeed863a-0f56-429f-945d-8bb66bd06841 | Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | bab9ef1d-a16d-421a-822d-3fa94e808156 | Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8bb40df9-23e4-4175-5db3-8dba86349b73 | Confirm quality and integrity of PII | CMA_C1821 - Confirm quality and integrity of PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 | Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 80a97208-264e-79da-0cc7-4fca179a0c9c | Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-09-27 16:35:32 | BuiltIn |
| Regulatory Compliance | 21832235-7a07-61f4-530d-d596f76e5b95 | Implement security testing, training, and monitoring plans | CMA_C1753 - Implement security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 70fe686f-1f91-7dab-11bf-bca4201e183b | Review role group changes weekly | CMA_0476 - Review role group changes weekly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 | Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 03b6427e-6072-4226-4bd9-a410ab65317e | Design an access control model | CMA_0129 - Design an access control model | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | dc7ec756-221c-33c8-0afe-c48e10e42321 | Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 37b0045b-3887-367b-8b4d-b9a6fa911bb9 | Assess information security events | CMA_0013 - Assess information security events | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c72fc0c8-2df8-7506-30be-6ba1971747e1 | Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 50e9324a-7410-0539-0662-2c1e775538b7 | Authorize and manage access | CMA_0023 - Authorize and manage access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b320aa42-33b4-53af-87ce-100091d48918 | Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6baae474-434f-2e91-7163-a72df30c4847 | Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 449ebb52-945b-36e5-3446-af6f33770f8f | Update the security authorization | CMA_C1160 - Update the security authorization | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 97d91b33-7050-237b-3e23-a77d57d84e13 | Issue public key certificates | CMA_0347 - Issue public key certificates | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 | Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | de936662-13dc-204c-75ec-1af80f994088 | Provide contingency training | CMA_0412 - Provide contingency training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 4edaca8c-0912-1ac5-9eaa-6a1057740fae | Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d42a8f69-a193-6cbc-48b9-04a9e29961f1 | Protect wireless access | CMA_0411 - Protect wireless access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f8ded0c6-a668-9371-6bb6-661d58787198 | Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 74041cfe-3f87-1d17-79ec-34ca5f895542 | Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e21f91d1-2803-0282-5f2d-26ebc4b170ef | Update organizational access agreements | CMA_0520 - Update organizational access agreements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a44c9fba-43f8-4b7b-7ee6-db52c96b4366 | Facilitate information sharing | CMA_0284 - Facilitate information sharing | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f | Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 06f84330-4c27-21f7-72cd-7488afd50244 | Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 | Monitor account activity | CMA_0377 - Monitor account activity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | d91558ce-5a5c-551b-8fbb-83f793255e09 | Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eff6e4a5-3efe-94dd-2ed1-25d56a019a82 | Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 | Verify inaccurate or outdated PII | CMA_C1823 - Verify inaccurate or outdated PII | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8b1da407-5e60-5037-612e-2caa1b590719 | Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 6a379d74-903b-244a-4c44-838728bea6b0 | Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 496b407d-9b9e-81e8-4ba4-44bc686b016a | Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 96333008-988d-4add-549b-92b3a8c42063 | Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 56fb5173-3865-5a5d-5fad-ae33e53e1577 | Address information security issues | CMA_C1742 - Address information security issues | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 35de8462-03ff-45b3-5746-9d4603c74c56 | Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c148208b-1a6f-a4ac-7abc-23b1d41121b1 | Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 97f0d974-1486-01e2-2088-b888f46c0589 | Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | a465e8e9-0095-85cb-a05f-1dd4960d02af | Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c6fe3856-4635-36b6-983c-070da12a953b | Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7a489c62-242c-5db9-74df-c073056d6fa3 | Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b8689b2e-4308-a58b-a0b4-6f3343a000df | Use automated mechanisms for security alerts | CMA_C1707 - Use automated mechanisms for security alerts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 63f63e71-6c3f-9add-4c43-64de23e554a7 | Manage gateways | CMA_0363 - Manage gateways | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | af38215f-70c4-0cd6-40c2-c52d86690a45 | Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 25a1f840-65d0-900a-43e4-bee253de04de | Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 | Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 46ab2c5e-6654-1f58-8c83-e97a44f39308 | Identify external service providers | CMA_C1591 - Identify external service providers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 516be556-1353-080d-2c2f-f46f000d5785 | Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e336d5f4-4d8f-0059-759c-ae10f63d1747 | Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2f204e72-1896-3bf8-75c9-9128b8683a36 | Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Monitoring | d4b065e2-fbda-4461-a42c-b0346aeb12a0 | The legacy Log Analytics extension should not be installed on Linux virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 50e81644-923d-33fc-6ebb-9733bc8d1a06 | Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | cbfa1bd0-714d-8d6f-0480-2ad6a53972df | Define and document government oversight | CMA_C1587 - Define and document government oversight | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | c7fddb0e-3f44-8635-2b35-dc6b8e740b7c | Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ed87d27a-9abf-7c71-714c-61d881889da4 | Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | eb1c944e-0e94-647b-9b7e-fdb8d2af0838 | Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 92ede480-154e-0e22-4dca-8b46a74a3a51 | Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 279052a0-8238-694d-9661-bf649f951747 | Identify contaminated systems and components | CMA_0300 - Identify contaminated systems and components | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | afd5d60a-48d2-8073-1ec2-6687e22f2ddd | Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 874a6f2e-2098-53bc-3a16-20dcdc425a7e | Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f131c8c5-a54a-4888-1efc-158928924bc1 | Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b11697e8-9515-16f1-7a35-477d5c8a1344 | Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 1cb7bf71-841c-4741-438a-67c65fdd7194 | Provide security training for new users | CMA_0419 - Provide security training for new users | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3eabed6d-1912-2d3c-858b-f438d08d0412 | Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b7897ddc-9716-2460-96f7-7757ad038cc4 | Assign risk designations | CMA_0016 - Assign risk designations | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 29363ae1-68cd-01ca-799d-92c9197c8404 | Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 10c4210b-3ec9-9603-050d-77e4d26c7ebb | Enforce logical access | CMA_0245 - Enforce logical access | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | f3c17714-8ce7-357f-4af2-a0baa63a063f | Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | db28735f-518f-870e-15b4-49623cbe3aa0 | Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b269a749-705e-8bff-055a-147744675cdf | Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 | Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 8cd815bf-97e1-5144-0735-11f6ddb50a59 | Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 | Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 | Define a physical key management process | CMA_0115 - Define a physical key management process | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 | Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 5e4e9685-3818-5934-0071-2620c4fa2ca5 | Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 | Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 81b6267b-97a7-9aa5-51ee-d2584a160424 | Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 2401b496-7f23-79b2-9f80-89bb5abf3d4a | Protect incident response plan | CMA_0405 - Protect incident response plan | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e0c480bf-0d68-a42d-4cbb-b60f851f8716 | Implement personnel screening | CMA_0322 - Implement personnel screening | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 3881168c-5d38-6f04-61cc-b5d87b2c4c58 | Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | ae5345d5-8dab-086a-7290-db43a3272198 | Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 60ee1260-97f0-61bb-8155-5d8b75743655 | Separate duties of individuals | CMA_0492 - Separate duties of individuals | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | b1666a13-8f67-9c47-155e-69e027ff6823 | Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | 7ded6497-815d-6506-242b-e043e0273928 | Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Regulatory Compliance | e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 | Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-09-27 16:35:32 | BuiltIn | |
| Guest Configuration | 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 | [Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn |
| Network | 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 | Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows | Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Monitoring | d2185817-5b7e-473c-aadd-9de6ac114280 | The legacy Log Analytics extension should not be installed on virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Monitoring | ba6881f9-ab93-498b-8bad-bb91b1d755bf | The legacy Log Analytics extension should not be installed on virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Storage | 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 | Storage accounts should prevent shared key access | Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-09-23 16:35:49 | BuiltIn | |
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-09-23 16:35:49 | BuiltIn | |
| Network | f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf | Subscription should configure the Azure Firewall Premium to provide additional layer of protection | Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Network | 632d3993-e2c0-44ea-a7db-2eca131f356d | Web Application Firewall (WAF) should enable all firewall rules for Application Gateway | Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-09-23 16:35:49 | BuiltIn | |
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-23 16:35:49 | BuiltIn |
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-23 16:35:49 | BuiltIn |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-23 16:35:49 | BuiltIn |
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Network | 711c24bb-7f18-4578-b192-81a6161e1f17 | Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection | Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Network | 6484db87-a62d-4327-9f07-80a2cbdf333a | Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) | Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Monitoring | df441472-4dae-4e4e-87b9-9205ba46be16 | The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-23 16:35:49 | BuiltIn |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-23 16:35:49 | BuiltIn |
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Network | f516dc7a-4543-4d40-aad6-98f76a706b50 | Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium | Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-09-23 16:35:49 | BuiltIn | |
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-09-23 16:35:49 | BuiltIn |
| Regulatory Compliance | 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 | Keep SORNs updated | CMA_C1863 - Keep SORNs updated | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 7fc1f0da-0050-19bb-3d75-81ae15940df6 | Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 41172402-8d73-64c7-0921-909083c086b0 | Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 245fe58b-96f8-9f1e-48c5-7f49903f66fd | Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 611ebc63-8600-50b6-a0e3-fef272457132 | Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4e45863d-9ea9-32b4-a204-2680bc6007a6 | Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.0.1 > 8.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | cf9ca02d-383e-4506-a421-258cc1a5300d | [Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c8aa992d-76b7-7ca0-07b3-31a58d773fa9 | Employ automated training environment | CMA_C1357 - Employ automated training environment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | cdcb825f-a0fb-31f9-29c1-ab566718499a | Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | cb8841d4-9d13-7292-1d06-ba4d68384681 | Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f131c8c5-a54a-4888-1efc-158928924bc1 | Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 20012034-96f0-85c2-4a86-1ae1eb457802 | Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 9c954fcf-6dd8-81f1-41b5-832ae5c62caf | Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b4e19d22-8c0e-7cad-3219-c84c62dc250f | Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f6da5cca-5795-60ff-49e1-4972567815fe | Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 396f465d-375e-57de-58ba-021adb008191 | Invalidate session identifiers at logout | CMA_C1661 - Invalidate session identifiers at logout | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b262e1dd-08e9-41d4-963a-258909ad794b | Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 | Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 39999038-9ef1-602a-158c-ce2367185230 | Define performance metrics | CMA_0124 - Define performance metrics | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 09960521-759e-5d12-086f-4192a72a5e92 | Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.0 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 27ce30dd-3d56-8b54-6144-e26d9a37a541 | Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 8f835d6a-4d13-9a9c-37dc-176cebd37fda | Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | de251b09-4a5e-1204-4bef-62ac58d47999 | Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 449ebb52-945b-36e5-3446-af6f33770f8f | Update the security authorization | CMA_C1160 - Update the security authorization | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 94c842e3-8098-38f9-6d3f-8872b790527d | Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | edcc36f1-511b-81e0-7125-abee29752fe7 | Manage availability and capacity | CMA_0356 - Manage availability and capacity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | a096cbd0-4693-432f-9374-682f485f23f3 | Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 037c0089-6606-2dab-49ad-437005b5035f | Identify incident response personnel | CMA_0301 - Identify incident response personnel | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 | Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4b8fd5da-609b-33bf-9724-1c946285a14c | Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 21832235-7a07-61f4-530d-d596f76e5b95 | Implement security testing, training, and monitoring plans | CMA_C1753 - Implement security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.1.0-preview > 2.1.0-preview) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ffea18d9-13de-6505-37f3-4c1f88070ad7 | Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ef5a7059-6651-73b1-18b3-75b1b79c1565 | Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ca6d7878-3189-1833-4620-6c7254ed1607 | Obtain continuous monitoring plan for security controls | CMA_C1577 - Obtain continuous monitoring plan for security controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 96333008-988d-4add-549b-92b3a8c42063 | Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 178c8b7e-1b6e-4289-44dd-2f1526b678a1 | Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.0.2 > 7.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0065241c-72e9-3b2c-556f-75de66332a94 | Establish parameters for searching secret authenticators and verifiers | CMA_0274 - Establish parameters for searching secret authenticators and verifiers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | bfc540fe-376c-2eef-4355-121312fa4437 | Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c981fa70-2e58-8141-1457-e7f62ebc2ade | Document organizational access agreements | CMA_0192 - Document organizational access agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 677e1da4-00c3-287a-563d-f4a1cf9b99a0 | Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 70057208-70cc-7b31-3c3a-121af6bc1966 | Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 46ab2c5e-6654-1f58-8c83-e97a44f39308 | Identify external service providers | CMA_C1591 - Identify external service providers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f49925aa-9b11-76ae-10e2-6e973cc60f37 | Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 56fb5173-3865-5a5d-5fad-ae33e53e1577 | Address information security issues | CMA_C1742 - Address information security issues | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d48a6f19-a284-6fc6-0623-3367a74d3f50 | Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 8b333332-6efd-7c0d-5a9f-d1eb95105214 | Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 74041cfe-3f87-1d17-79ec-34ca5f895542 | Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b470a37a-7a47-3792-34dd-7a793140702e | Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2e7a98c9-219f-0d58-38dc-d69038224442 | Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a44c9fba-43f8-4b7b-7ee6-db52c96b4366 | Facilitate information sharing | CMA_0284 - Facilitate information sharing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 | Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | bd6cbcba-4a2d-507c-53e3-296b5c238a8e | Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.0.2 > 7.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | be1c34ab-295a-07a6-785c-36f63c1d223e | Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b269a749-705e-8bff-055a-147744675cdf | Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | fd34e936-069e-4fe5-bac6-f7c9824caab6 | App Service app slots should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 | Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6f311b49-9b0d-8c67-3d6e-db80ae528173 | Bind authenticators and identities dynamically | CMA_0035 - Bind authenticators and identities dynamically | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d136ae80-54dd-321c-98b4-17acf4af2169 | Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 | Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 7.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 464a7d7a-2358-4869-0b49-6d582ca21292 | Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 | Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d200f199-69f4-95a6-90b0-37ff0cf1040c | Provide the capability to extend or limit auditing on customer-deployed resources | CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 | Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 03d550b4-34ee-03f4-515f-f2e2faf7a413 | Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 68d2e478-3b19-23eb-1357-31b296547457 | Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d91558ce-5a5c-551b-8fbb-83f793255e09 | Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e29a8f1b-149b-2fa3-969d-ebee1baa9472 | Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a1334a65-2622-28ee-5067-9d7f5b915cc5 | Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 8e920169-739d-40b5-3f99-c4d855327bb2 | Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 676c3c35-3c36-612c-9523-36d266a65000 | Require developers to provide training | CMA_C1611 - Require developers to provide training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c3b3cc61-9c70-5d78-7f12-1aefcc477db7 | Review security testing, training, and monitoring plans | CMA_C1754 - Review security testing, training, and monitoring plans | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ba02d0a0-566a-25dc-73f1-101c726a19c5 | Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 5f2e834d-7e40-a4d5-a216-e49b16955ccf | Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3153d9c0-2584-14d3-362d-578b01358aeb | Retain training records | CMA_0456 - Retain training records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6a379d74-903b-244a-4c44-838728bea6b0 | Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ced727b3-005e-3c5b-5cd5-230b79d56ee8 | Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 | Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0f31d98d-5ce2-705b-4aa5-b4f6705110dd | Prepare alternate processing site for use as operational site | CMA_C1278 - Prepare alternate processing site for use as operational site | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.0.0 > 8.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 08c11b48-8745-034d-1c1b-a144feec73b9 | Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | adf517f3-6dcd-3546-9928-34777d0c277e | Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4012c2b7-4e0e-a7ab-1688-4aab43f14420 | Map authenticated identities to individuals | CMA_0372 - Map authenticated identities to individuals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb | Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | dd2523d5-2db3-642b-a1cf-83ac973b32c2 | Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 95eb7d09-9937-5df9-11d9-20317e3f60df | Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e750ca06-1824-464a-2cf3-d0fa754d1cb4 | Establish a secure software development program | CMA_0259 - Establish a secure software development program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 | Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e7422f08-65b4-50e4-3779-d793156e0079 | Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b | Configure App Service apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 44b71aa8-099d-8b97-1557-0e853ec38e0d | Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | cbfa1bd0-714d-8d6f-0480-2ad6a53972df | Define and document government oversight | CMA_C1587 - Define and document government oversight | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 874a6f2e-2098-53bc-3a16-20dcdc425a7e | Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ca748dfe-3e28-1d18-4221-89aea30aa0a5 | Identify status of individual users | CMA_C1316 - Identify status of individual users | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 04837a26-2601-1982-3da7-bf463e6408f4 | Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 | Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a30bd8e9-7064-312a-0e1f-e1b485d59f6e | Review exploit protection events | CMA_0472 - Review exploit protection events | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 096a7055-30cb-2db4-3fda-41b20ac72667 | Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | a1a22235-dd10-4062-bd55-7d62778f41b0 | Function app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.0 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | b33d61c1-7463-7025-0ec0-a47585b59147 | Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a8df9c78-4044-98be-2c05-31a315ac8957 | Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 16c54e01-9e65-7524-7c33-beda48a75779 | Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a90c4d44-7fac-8e02-6d5b-0d92046b20e6 | Automate flaw remediation | CMA_0027 - Automate flaw remediation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 33d34fac-56a8-1c0f-0636-3ed94892a709 | Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 7a114735-a420-057d-a651-9a73cd0416ef | Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2d2ca910-7957-23ee-2945-33f401606efc | Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (8.0.0 > 9.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 | Monitor account activity | CMA_0377 - Monitor account activity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 | Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2f204e72-1896-3bf8-75c9-9128b8683a36 | Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | aa305b4d-8c84-1754-0c74-dec004e66be0 | Develop contingency plan | CMA_C1244 - Develop contingency plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 08cf2974-d178-48a0-b26d-f6b8e555748b | Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 25a1f840-65d0-900a-43e4-bee253de04de | Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1a2a03a4-9992-5788-5953-d8f6615306de | Govern policies and procedures | CMA_0292 - Govern policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d7c1ecc3-2980-a079-1569-91aec8ac4a77 | Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 75b9db50-7906-2351-98ae-0458218609e5 | Retain accounting of disclosures of information | CMA_C1819 - Retain accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 60442979-6333-85f0-84c5-b887bac67448 | Evaluate alternate processing site capabilities | CMA_C1266 - Evaluate alternate processing site capabilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 22c16ae4-19d0-29cb-422f-cb44061180ee | Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f6794ab8-9a7d-3b24-76ab-265d3646232b | Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3af53f59-979f-24a8-540f-d7cdbc366607 | Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a4493012-908c-5f48-a468-1e243be884ce | Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 13939f8c-4cd5-a6db-9af4-9dfec35e3722 | Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3054c74b-9b45-2581-56cf-053a1a716c39 | Accept assessment results | CMA_C1150 - Accept assessment results | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.0.0 > 8.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.0 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0040d2e5-2779-170d-6a2c-1f5fca353335 | Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 81b6267b-97a7-9aa5-51ee-d2584a160424 | Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | df54d34f-65f3-39f1-103c-a0464b8615df | Manage transfers between standby and active system components | CMA_0371 - Manage transfers between standby and active system components | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3baee3fd-30f5-882c-018c-cc78703a0106 | Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 90a156a6-49ed-18d1-1052-69aac27c05cd | Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | dc7ec756-221c-33c8-0afe-c48e10e42321 | Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | cae7c12e-764b-4c87-841a-fdc6675d196f | App Service app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1fdf0b24-4043-3c55-357e-036985d50b52 | Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e54901fe-42c2-7f3b-3c5f-327aa5320a69 | Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 13bcff5d-f0eb-4ce7-913e-83ad6300376b | Function app slots should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 55be3260-a7a2-3c06-7fe6-072d07525ab7 | Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 5269d7e4-3768-501d-7e46-66c56c15622c | Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.0 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b8689b2e-4308-a58b-a0b4-6f3343a000df | Use automated mechanisms for security alerts | CMA_C1707 - Use automated mechanisms for security alerts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab | Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | d25cbded-121e-0ed6-1857-dc698c9095b1 | Take action in response to customer information | CMA_C1554 - Take action in response to customer information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn |
| App Service | 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 | Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6de65dc4-8b4f-34b7-9290-eb137a2e2929 | Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 14a4fd0a-9100-1e12-1362-792014a28155 | Update contingency plan | CMA_C1248 - Update contingency plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ff136354-1c92-76dc-2dab-80fb7c6a9f1a | Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 28aa060e-25c7-6121-05d8-a846f11433df | Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 84a01872-5318-049e-061e-d56734183e84 | Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 898a5781-2254-5a37-34c7-d78ea7c20d55 | Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f | Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6baae474-434f-2e91-7163-a72df30c4847 | Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 77cc89bb-774f-48d7-8a84-fb8c322c3000 | Track software license usage | CMA_C1235 - Track software license usage | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 | App Service app slots should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | de077e7e-0cc8-65a6-6e08-9ab46c827b05 | Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 22457e81-3ec6-5271-a786-c3ca284601dd | Isolate information spills | CMA_0346 - Isolate information spills | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 69d90ee6-9f9f-262a-2038-d909fb4e5723 | Identify spilled information | CMA_0303 - Identify spilled information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 82bd024a-5c99-05d6-96ff-01f539676a1a | Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 | Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | afd5d60a-48d2-8073-1ec2-6687e22f2ddd | Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2af4640d-11a6-a64b-5ceb-a468f4341c0c | Define and enforce inactivity log policy | CMA_C1017 - Define and enforce inactivity log policy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (3.0.0 > 4.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2401b496-7f23-79b2-9f80-89bb5abf3d4a | Protect incident response plan | CMA_0405 - Protect incident response plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e7589f4e-1e8b-72c2-3692-1e14d7f3699f | Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 00f12b6f-10d7-8117-9577-0f2b76488385 | Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 | Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3eecf628-a1c8-1b48-1b5c-7ca781e97970 | Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 12af7c7a-92af-9e96-0d0c-5e732d1a3751 | Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 75b42dcf-7840-1271-260b-852273d7906e | Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ba99d512-3baa-1c38-8b0b-ae16bbd34274 | Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d8350d4c-9314-400b-288f-20ddfce04fbd | Define and enforce the limit of concurrent sessions | CMA_C1050 - Define and enforce the limit of concurrent sessions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d9af7f88-686a-5a8b-704b-eafdab278977 | Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 2f7c08c2-f671-4282-9fdb-597b6ef2c10d | [Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 085467a6-9679-5c65-584a-f55acefd0d43 | Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | bbb2e6d6-085f-5a35-a55d-e45daad38933 | Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 06af77de-02ca-0f3e-838a-a9420fe466f5 | Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 524e7136-9f6a-75ba-9089-501018151346 | Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0471c6b7-1588-701c-2713-1fade73b75f6 | Display an explicit logout message | CMA_C1056 - Display an explicit logout message | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 171e377b-5224-4a97-1eaa-62a3b5231dac | Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 729c8708-2bec-093c-8427-2e87d2cd426d | Automate notification of employee termination | CMA_C1521 - Automate notification of employee termination | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 6bededc0-2985-54d5-4158-eb8bad8070a0 | Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c | Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | de936662-13dc-204c-75ec-1af80f994088 | Provide contingency training | CMA_0412 - Provide contingency training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 318b2bd9-9c39-9f8b-46a7-048401f33476 | Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 | Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e1379836-3492-6395-451d-2f5062e14136 | Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 59f7feff-02aa-6539-2cf7-bea75b762140 | Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 91a54089-2d69-0f56-62dc-b6371a1671c0 | Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 | Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | e1a09430-221d-4d4c-a337-1edb5a1fa9bb | Function app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | eff6e4a5-3efe-94dd-2ed1-25d56a019a82 | Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.0 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f8a63511-66f1-503f-196d-d6217ee0823a | Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b65c5d8e-9043-9612-2c17-65f231d763bb | Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 725164e5-3b21-1ec2-7e42-14f077862841 | Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b320aa42-33b4-53af-87ce-100091d48918 | Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 7ded6497-815d-6506-242b-e043e0273928 | Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c6aeb800-0b19-944d-92dc-59b893722329 | Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4c385143-09fd-3a34-790c-a5fd9ec77ddc | Provide role-based security training | CMA_C1094 - Provide role-based security training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | a28323fe-276d-3787-32d2-cef6395764c4 | Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f7eb1d0b-6d4f-2d59-1591-7563e11a9313 | Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.0.1 > 7.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | eda0cbb7-6043-05bf-645b-67411f1a59b3 | Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e4054c0e-1184-09e6-4c5e-701e0bc90f81 | Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.0.0 > 8.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 015b4935-448a-8684-27c0-d13086356c33 | Implement a threat awareness program | CMA_C1758 - Implement a threat awareness program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0fd1ca29-677b-2f12-1879-639716459160 | Maintain data breach records | CMA_0351 - Maintain data breach records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f3c17714-8ce7-357f-4af2-a0baa63a063f | Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (8.0.0 > 9.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.2 > 6.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 29acfac0-4bb4-121b-8283-8943198b1549 | Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | bf883b14-9c19-0f37-8825-5e39a8b66d5b | Perform threat modeling | CMA_0392 - Perform threat modeling | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3f1216b0-30ee-1ac9-3899-63eb744e85f5 | Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b7306e73-0494-83a2-31f5-280e934a8f70 | Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 92b94485-1c49-3350-9ada-dffe94f08e87 | Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | db8b35d6-8adb-3f51-44ff-c648ab5b1530 | Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e9c60c37-65b0-2d72-6c3c-af66036203ae | Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4edaca8c-0912-1ac5-9eaa-6a1057740fae | Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | dad1887d-161b-7b61-2e4d-5124a7b5724e | Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 57adc919-9dca-817c-8197-64d812070316 | Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 2067b904-9552-3259-0cdd-84468e284b7c | Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 92a7591f-73b3-1173-a09c-a08882d84c70 | Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f | Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b544f797-a73b-1be3-6d01-6b1a085376bc | Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (8.0.0 > 9.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b9d45adb-471b-56a5-64d2-5b241f126174 | Automate privacy controls | CMA_C1817 - Automate privacy controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ced291b8-1d3d-7e27-40cf-829e9dd523c8 | Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 53fc1282-0ee3-2764-1319-e20143bb0ea5 | Review contingency plan | CMA_C1247 - Review contingency plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 98e33927-8d7f-6d5f-44f5-2469b40b7215 | Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ff1efad2-6b09-54cc-01bf-d386c4d558a8 | Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3eabed6d-1912-2d3c-858b-f438d08d0412 | Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | cf79f602-1e60-5423-6c0c-e632c2ea1fc0 | Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 22a02c9a-49e4-5dc9-0d14-eb35ad717154 | Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.2.1 > 7.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f30edfad-4e1d-1eef-27ee-9292d6d89842 | Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 834b7a4a-83ab-2188-1a26-9c5033d8173b | Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 20762f1e-85fb-31b0-a600-e833633f10fe | Reveal error messages | CMA_C1725 - Reveal error messages | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | db580551-0b3c-4ea1-8a4c-4cdb5feb340f | Provide the logout capability | CMA_C1055 - Provide the logout capability | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.2 > 2.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 311802f9-098d-0659-245a-94c5d47c0182 | Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b7897ddc-9716-2460-96f7-7757ad038cc4 | Assign risk designations | CMA_0016 - Assign risk designations | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | 25a5046c-c423-4805-9235-e844ae9ef49b | Configure Function apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | 5bac5fb7-7735-357b-767d-02264bfe5c3b | Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | dd6d00a8-701a-5935-a22b-c7b9c0c698b2 | Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | d9edcea6-6cb8-0266-a48c-2061fbac4310 | Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn |
| Regulatory Compliance | bb048641-6017-7272-7772-a008f285a520 | Develop spillage response procedures | CMA_0162 - Develop spillage response procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 3a868d0c-538f-968b-0191-bddb44da5b75 | Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 8b077bff-516f-3983-6c42-c86e9a11868b | Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 4e400494-53a5-5147-6f4d-718b539c7394 | Manage compliance activities | CMA_0358 - Manage compliance activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| App Service | c285a320-8830-4665-9cc7-bbd05fc7c5c0 | App Service app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | eb598832-4bcc-658d-4381-3ecbe17b9866 | Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | e21f91d1-2803-0282-5f2d-26ebc4b170ef | Update organizational access agreements | CMA_0520 - Update organizational access agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 | Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c6fe3856-4635-36b6-983c-070da12a953b | Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | f801d58e-5659-9a4a-6e8d-02c9334732e5 | Restore resources to operational state | CMA_C1297 - Restore resources to operational state | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | c7e8ddc1-14aa-1814-7fe1-aad1742b27da | Enforce expiration of cached authenticators | CMA_C1343 - Enforce expiration of cached authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | ab02bb73-4ce1-89dd-3905-d93042809ba0 | Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 836f8406-3b8a-11bb-12cb-6c7fa0765668 | Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 279052a0-8238-694d-9661-bf649f951747 | Identify contaminated systems and components | CMA_0300 - Identify contaminated systems and components | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 098dcde7-016a-06c3-0985-0daaf3301d3a | Distribute authenticators | CMA_0184 - Distribute authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | b8587fce-138f-86e8-33a3-c60768bf1da6 | Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 0a412110-3874-9f22-187a-c7a81c8a6704 | Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-19 17:41:40 | BuiltIn | |
| Regulatory Compliance | 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 | Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 | Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 77acc53d-0f67-6e06-7d04-5750653d4629 | Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 2af551d5-1775-326a-0589-590bfb7e9eb2 | Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 60ee1260-97f0-61bb-8155-5d8b75743655 | Separate duties of individuals | CMA_0492 - Separate duties of individuals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | a08b18c7-9e0a-89f1-3696-d80902196719 | Document access privileges | CMA_0186 - Document access privileges | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5c33538e-02f8-0a7f-998b-a4c1e22076d3 | Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1cb7bf71-841c-4741-438a-67c65fdd7194 | Provide security training for new users | CMA_0419 - Provide security training for new users | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 214ea241-010d-8926-44cc-b90a96d52adc | Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b6ad009f-5c24-1dc0-a25e-74b60e4da45f | Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | af5ff768-a34b-720e-1224-e6b3214f3ba6 | Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | df2e9507-169b-4114-3a52-877561ee3198 | Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 | Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 62fa14f0-4cbe-762d-5469-0899a99b98aa | Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 08ad71d0-52be-6503-4908-e015460a16ae | Require use of individual authenticators | CMA_C1305 - Require use of individual authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 | Undergo independent security review | CMA_0515 - Undergo independent security review | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 098a7b84-1031-66d8-4e78-bd15b5fd2efb | Provide privacy notice | CMA_0414 - Provide privacy notice | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8eea8c14-4d93-63a3-0c82-000343ee5204 | Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b0e3035d-6366-2e37-796e-8bcab9c649e6 | Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | 6228396e-2ace-7ca5-3247-45767dbf52f4 | Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 36b74844-4a99-4c80-1800-b18a516d1585 | Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 | Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9b8b05ec-3d21-215e-5d98-0f7cf0998202 | Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d4e6a629-28eb-79a9-000b-88030e4823ca | Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c79d378a-2521-822a-0407-57454f8d2c74 | Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3c93dba1-84fd-57de-33c7-ef0400a08134 | Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | c42f19c9-5d88-92da-0742-371a0ea03126 | Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | f78fc35e-1268-0bca-a798-afcba9d2330a | Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba | Review file and folder activity | CMA_0473 - Review file and folder activity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f741c4e6-41eb-15a4-25a2-61ac7ca232f0 | Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d02498e0-8a6f-6b02-8332-19adf6711d1e | Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | eab4450d-9e5c-4f38-0656-2ff8c78c83f3 | Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c423e64d-995c-9f67-0403-b540f65ba42a | Assess Security Controls | CMA_C1145 - Assess Security Controls | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f8d141b7-4e21-62a6-6608-c79336e36bc9 | Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 79c75b38-334b-1a69-65e0-a9d929a42f75 | Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d93fe1be-13e4-421d-9c21-3158e2fa2667 | Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1fb1cb0e-1936-6f32-42fd-89970b535855 | Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | cc057769-01d9-95ad-a36f-1e62a7f9540b | Update POA&M items | CMA_C1157 - Update POA&M items | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | a930f477-9dcb-2113-8aa7-45bb6fc90861 | Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3ae68d9a-5696-8c32-62d3-c6f9c52e437c | Refresh authenticators | CMA_0425 - Refresh authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 | Generate error messages | CMA_C1724 - Generate error messages | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 7d70383a-32f4-a0c2-61cf-a134851968c2 | Determine legal authority to collect PII | CMA_C1800 - Determine legal authority to collect PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 496b407d-9b9e-81e8-4ba4-44bc686b016a | Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 98145a9b-428a-7e81-9d14-ebb154a24f93 | View and investigate restricted users | CMA_0545 - View and investigate restricted users | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 11ba0508-58a8-44de-5f3a-9e05d80571da | Develop business classification schemes | CMA_0155 - Develop business classification schemes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b3c8cc83-20d3-3890-8bc8-5568777670f4 | Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f27a298f-9443-014a-0d40-fef12adf0259 | Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4ee5975d-2507-5530-a20a-83a725889c6f | Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 | Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3545c827-26ee-282d-4629-23952a12008b | Conduct incident response testing | CMA_0060 - Conduct incident response testing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f8ded0c6-a668-9371-6bb6-661d58787198 | Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 509552f5-6528-3540-7959-fbeae4832533 | Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 27ab3ac0-910d-724d-0afa-1a2a01e996c0 | Respond to rectification requests | CMA_0442 - Respond to rectification requests | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 | Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 93fa357f-2e38-22a9-5138-8cc5124e1923 | Categorize information | CMA_0052 - Categorize information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4ac81669-00e2-9790-8648-71bc11bc91eb | Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6c0a312f-04c5-5c97-36a5-e56763a02b6b | Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | e8c31e15-642d-600f-78ab-bad47a5787e6 | Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 | Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4f23967c-a74b-9a09-9dc2-f566f61a87b9 | Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 7bdb79ea-16b8-453e-4ca4-ad5b16012414 | Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 18e7906d-4197-20fa-2f14-aaac21864e71 | Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1beb1269-62ee-32cd-21ad-43d6c9750eb6 | Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 516be556-1353-080d-2c2f-f46f000d5785 | Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 92b49e92-570f-1765-804a-378e6c592e28 | Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 21633c09-804e-7fcd-78e3-635c6bfe2be7 | Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 97cfd944-6f0c-7db2-3796-8e890ef70819 | Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6610f662-37e9-2f71-65be-502bdc2f554d | Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c5784049-959f-6067-420c-f4cefae93076 | Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 34aac8b2-488a-2b96-7280-5b9b481a317a | Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b2ea1058-8998-3dd1-84f1-82132ad482fd | Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4ce91e4e-6dab-3c46-011a-aa14ae1561bf | Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 85335602-93f5-7730-830b-d43426fd51fa | Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 7d10debd-4775-85a7-1a41-7e128e0e8c50 | Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8cd815bf-97e1-5144-0735-11f6ddb50a59 | Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 39eb03c1-97cc-11ab-0960-6209ed2869f7 | Establish a privacy program | CMA_0257 - Establish a privacy program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ebb0ba89-6d8c-84a7-252b-7393881e43de | Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 964b340a-43a4-4798-2af5-7aedf6cb001b | Collect PII directly from the individual | CMA_C1822 - Collect PII directly from the individual | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5226dee6-3420-711b-4709-8e675ebd828f | Update information security policies | CMA_0518 - Update information security policies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | af227964-5b8b-22a2-9364-06d2cb9d6d7c | Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6ab47bbf-867e-9113-7998-89b58f77326a | Respond to complaints, concerns, or questions timely | CMA_C1853 - Respond to complaints, concerns, or questions timely | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 97f0d974-1486-01e2-2088-b888f46c0589 | Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 979ed3b6-83f9-26bc-4b86-5b05464700bf | Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c72fc0c8-2df8-7506-30be-6ba1971747e1 | Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c7d57a6a-7cc2-66c0-299f-83bf90558f5d | Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 34738025-5925-51f9-1081-f2d0060133ed | Information security and personal data protection | CMA_0332 - Information security and personal data protection | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 7ad83b58-2042-085d-08f0-13e946f26f89 | Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1ff03f2a-974b-3272-34f2-f6cd51420b30 | Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 80a97208-264e-79da-0cc7-4fca179a0c9c | Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c148208b-1a6f-a4ac-7abc-23b1d41121b1 | Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | afbecd30-37ee-a27b-8e09-6ac49951a0ee | Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 | Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b8a9bb2f-7290-3259-85ce-dca7d521302d | Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8b1da407-5e60-5037-612e-2caa1b590719 | Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc | Perform a risk assessment | CMA_0388 - Perform a risk assessment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5e4e9685-3818-5934-0071-2620c4fa2ca5 | Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | e89436d8-6a93-3b62-4444-1d2a42ad56b2 | Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 7a489c62-242c-5db9-74df-c073056d6fa3 | Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 055da733-55c6-9e10-8194-c40731057ec4 | Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1ee4c7eb-480a-0007-77ff-4ba370776266 | Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 2927e340-60e4-43ad-6b5f-7a1468232cc2 | Configure detection whitelist | CMA_0068 - Configure detection whitelist | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | a8f9c283-9a66-3eb3-9e10-bdba95b85884 | Run simulation attacks | CMA_0486 - Run simulation attacks | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 26d178a4-9261-6f04-a100-47ed85314c6e | Implement security directives | CMA_C1706 - Implement security directives | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 069101ac-4578-31da-0cd4-ff083edd3eb4 | Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 | Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 | Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e | Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | dbcef108-7a04-38f5-8609-99da110a2a57 | Determine information protection needs | CMA_C1750 - Determine information protection needs | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | a465e8e9-0095-85cb-a05f-1dd4960d02af | Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c246d146-82b0-301f-32e7-1065dcd248b7 | Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 426c172c-9914-10d1-25dd-669641fc1af4 | Enable detection of network devices | CMA_0220 - Enable detection of network devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 04b3e7f6-4841-888d-4799-cda19a0084f6 | Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1e0d5ba8-a433-01aa-829c-86b06c9631ec | Include dynamic reconfig of customer deployed resources | CMA_C1364 - Include dynamic reconfig of customer deployed resources | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | 0123edae-3567-a05a-9b05-b53ebe9d3e7e | View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9e3c505e-7aeb-2096-3417-b132242731fc | Review content prior to posting publicly accessible information | CMA_C1085 - Review content prior to posting publicly accessible information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 | Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8c255136-994b-9616-79f5-ae87810e0dcf | Enable network protection | CMA_0238 - Enable network protection | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8019d788-713d-90a1-5570-dac5052f517d | Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | e4e1f896-8a93-1151-43c7-0ad23b081ee2 | Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 52375c01-4d4c-7acc-3aa4-5b3d53a047ec | Define the duties of processors | CMA_0127 - Define the duties of processors | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 | Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f29b17a4-0df2-8a50-058a-8570f9979d28 | Assign system identifiers | CMA_0018 - Assign system identifiers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 2b2f3a72-9e68-3993-2b69-13dcdecf8958 | Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 92ede480-154e-0e22-4dca-8b46a74a3a51 | Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4aacaec9-0628-272c-3e83-0d68446694e0 | Manage Authenticators | CMA_C1321 - Manage Authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5023a9e7-8e64-2db6-31dc-7bce27f796af | Provide privacy notice to the public and to individuals | CMA_C1861 - Provide privacy notice to the public and to individuals | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 67ada943-8539-083d-35d0-7af648974125 | Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3881168c-5d38-6f04-61cc-b5d87b2c4c58 | Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 70fe686f-1f91-7dab-11bf-bca4201e183b | Review role group changes weekly | CMA_0476 - Review role group changes weekly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d | Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 043c1e56-5a16-52f8-6af8-583098ff3e60 | Create a data inventory | CMA_0096 - Create a data inventory | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 | Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 37546841-8ea1-5be0-214d-8ac599588332 | Maintain incident response plan | CMA_0352 - Maintain incident response plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 68a39c2b-0f17-69ee-37a3-aa10f9853a08 | Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 84245967-7882-54f6-2d34-85059f725b47 | Establish an information security program | CMA_0263 - Establish an information security program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | 0803eaa7-671c-08a7-52fd-ac419f775e75 | Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 10874318-0bf7-a41f-8463-03e395482080 | Correlate audit records | CMA_0087 - Correlate audit records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 585af6e9-90c0-4575-67a7-2f9548972e32 | Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3b30aa25-0f19-6c04-5ca4-bd3f880a763d | Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | aa0ddd99-43eb-302d-3f8f-42b499182960 | Install an alarm system | CMA_0338 - Install an alarm system | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 423f6d9c-0c73-9cc6-64f4-b52242490368 | Develop security safeguards | CMA_0161 - Develop security safeguards | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 | Verify inaccurate or outdated PII | CMA_C1823 - Verify inaccurate or outdated PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | e0c480bf-0d68-a42d-4cbb-b60f851f8716 | Implement personnel screening | CMA_0322 - Implement personnel screening | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4781e5fd-76b8-7d34-6df3-a0a7fca47665 | Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d18af1ac-0086-4762-6dc8-87cdded90e39 | Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f48b60c6-4b37-332f-7288-b6ea50d300eb | Review controlled folder access events | CMA_0471 - Review controlled folder access events | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6122970b-8d4a-7811-0278-4c6c68f61e4f | Restrict media use | CMA_0450 - Restrict media use | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ffdaa742-0d6f-726f-3eac-6e6c34e36c93 | Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 | Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 13ef3484-3a51-785a-9c96-500f21f84edd | Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | e6f7b584-877a-0d69-77d4-ab8b923a9650 | Document separation of duties | CMA_0204 - Document separation of duties | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d041726f-00e0-41ca-368c-b1a122066482 | Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | fc26e2fd-3149-74b4-5988-d64bb90f8ef7 | Separately store backup information | CMA_C1293 - Separately store backup information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ee67c031-57fc-53d0-0cca-96c4c04345e8 | Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b5244f81-6cab-3188-2412-179162294996 | Review publicly accessible content for nonpublic information | CMA_C1086 - Review publicly accessible content for nonpublic information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 57927290-8000-59bf-3776-90c468ac5b4b | Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b5a4be05-3997-1731-3260-98be653610f6 | Perform disposition review | CMA_0391 - Perform disposition review | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d4f70530-19a2-2a85-6e0c-0c3c465e3325 | Make accounting of disclosures available upon request | CMA_C1820 - Make accounting of disclosures available upon request | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | aa892c0d-2c40-200c-0dd8-eac8c4748ede | Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ba78efc6-795c-64f4-7a02-91effbd34af9 | Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b4512986-80f5-1656-0c58-08866bd2673a | Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 29363ae1-68cd-01ca-799d-92c9197c8404 | Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 | Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5c40f27b-6791-18c5-3f85-7b863bd99c11 | Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 33602e78-35e3-4f06-17fb-13dd887448e4 | Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1282809c-9001-176b-4a81-260a085f4872 | Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b28c8687-4bbd-8614-0b96-cdffa1ac6d9c | Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0f4fa857-079d-9d3d-5c49-21f616189e03 | Provide real-time alerts for audit event failures | CMA_C1114 - Provide real-time alerts for audit event failures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c2eabc28-1e5c-78a2-a712-7cc176c44c07 | Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 433de59e-7a53-a766-02c2-f80f8421469a | Implement incident handling | CMA_0318 - Implement incident handling | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8bb40df9-23e4-4175-5db3-8dba86349b73 | Confirm quality and integrity of PII | CMA_C1821 - Confirm quality and integrity of PII | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 35963d41-4263-0ef9-98d5-70eb058f9e3c | Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f33c3238-11d2-508c-877c-4262ec1132e1 | Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 4c6df5ff-4ef2-4f17-a516-0da9189c603b | Assign account managers | CMA_0015 - Assign account managers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 | Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 | Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8b1f29eb-1b22-4217-5337-9207cb55231e | Perform information input validation | CMA_C1723 - Perform information input validation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | fd81a1b3-2d7a-107c-507e-29b87d040c19 | Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 | Define mobile device requirements | CMA_0122 - Define mobile device requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8a703eb5-4e53-701b-67e4-05ba2f7930c8 | Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 9150259b-617b-596d-3bf5-5ca3fce20335 | Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d36700f2-2f0d-7c2a-059c-bdadd1d79f70 | Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | bab9ef1d-a16d-421a-822d-3fa94e808156 | Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 2b05dca2-25ec-9335-495c-29155f785082 | Provide security training before providing access | CMA_0418 - Provide security training before providing access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | d78f95ba-870a-a500-6104-8a5ce2534f19 | Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 13efd2d7-3980-a2a4-39d0-527180c009e8 | Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 623b5f0a-8cbd-03a6-4892-201d27302f0c | Define information system account types | CMA_0121 - Define information system account types | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 54a9c072-4a93-2a03-6a43-a060d30383d7 | Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5d3abfea-a130-1208-29c0-e57de80aa6b0 | Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 37b0045b-3887-367b-8b4d-b9a6fa911bb9 | Assess information security events | CMA_0013 - Assess information security events | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6b957f60-54cd-5752-44d5-ff5a64366c93 | Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | eaaae23f-92c9-4460-51cf-913feaea4d52 | Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | ad1d562b-a04b-15d3-6770-ed310b601cb5 | Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5020f3f4-a579-2f28-72a8-283c5a0b15f9 | Restrict communications | CMA_0449 - Restrict communications | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f2222056-062d-1060-6dc2-0107a68c34b2 | Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 01c387ea-383d-4ca9-295a-977fab516b03 | Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d42a8f69-a193-6cbc-48b9-04a9e29961f1 | Protect wireless access | CMA_0411 - Protect wireless access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 | Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 | Provide information spillage training | CMA_0413 - Provide information spillage training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Synapse | 1e5ed725-f16c-478b-bd4b-7bfa2f7940b9 | Configure Azure Synapse workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | 06f84330-4c27-21f7-72cd-7488afd50244 | Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 341bc9f1-7489-07d9-4ec6-971573e1546a | Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 477bd136-7dd9-55f8-48ac-bae096b86a07 | Develop POA&M | CMA_C1156 - Develop POA&M | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 42116f15-5665-a52a-87bb-b40e64c74b6c | Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn |
| Regulatory Compliance | 01ae60e2-38bb-0a32-7b20-d3a091423409 | Implement system boundary protection | CMA_0328 - Implement system boundary protection | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 203101f5-99a3-1491-1b56-acccd9b66a9e | Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 70a7a065-a060-85f8-7863-eb7850ed2af9 | Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 | Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d8bbd80e-3bb1-5983-06c2-428526ec6a63 | Establish a password policy | CMA_0256 - Establish a password policy | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 291f20d4-8d93-1d73-89f3-6ce28b825563 | Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 27965e62-141f-8cca-426f-d09514ee5216 | Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 | Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 72889284-15d2-90b2-4b39-a1e9541e1152 | Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 | Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | d6653f89-7cb5-24a4-9d71-51581038231b | Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b6b32f80-a133-7600-301e-398d688e7e0c | Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | b4409bff-2287-8407-05fd-c73175a68302 | Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8747b573-8294-86a0-8914-49e9b06a5ace | Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 58a51cde-008b-1a5d-61b5-d95849770677 | Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 271a3e58-1b38-933d-74c9-a580006b80aa | Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8aec4343-9153-9641-172c-defb201f56b3 | Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b | Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 1afada58-8b34-7ac2-a38a-983218635201 | Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5decc032-95bd-2163-9549-a41aba83228e | Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 575ed5e8-4c29-99d0-0e4d-689fb1d29827 | Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | fe2dff43-0a8c-95df-0432-cb1c794b17d0 | Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6abdf7c7-362b-3f35-099e-533ed50988f9 | Assign information security representative to change control | CMA_C1198 - Assign information security representative to change control | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 35de8462-03ff-45b3-5746-9d4603c74c56 | Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 5b802722-71dd-a13d-2e7e-231e09589efb | Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 678ca228-042d-6d8e-a598-c58d5670437d | Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | f9ec3263-9562-1768-65a1-729793635a8d | Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 6f3866e8-6e12-69cf-788c-809d426094a1 | Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 8e49107c-3338-40d1-02aa-d524178a2afe | Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-13 16:35:29 | BuiltIn | |
| Regulatory Compliance | 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f | Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 4502e506-5f35-0df4-684f-b326e3cc7093 | Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 50e9324a-7410-0539-0662-2c1e775538b7 | Authorize and manage access | CMA_0023 - Authorize and manage access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | a315c657-4a00-8eba-15ac-44692ad24423 | Protect special information | CMA_0409 - Protect special information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | a830fe9e-08c9-a4fb-420c-6f6bf1702395 | Review account provisioning logs | CMA_0460 - Review account provisioning logs | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 526ed90e-890f-69e7-0386-ba5c0f1f784f | Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | be38a620-000b-21cf-3cb3-ea151b704c3b | Remediate information system flaws | CMA_0427 - Remediate information system flaws | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 3d492600-27ba-62cc-a1c3-66eb919f6a0d | Document remote access guidelines | CMA_0196 - Document remote access guidelines | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | a3e98638-51d4-4e28-910a-60e98c1a756f | Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 7a0ecd94-3699-5273-76a5-edb8499f655a | Determine assertion requirements | CMA_0136 - Determine assertion requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | b53aa659-513e-032c-52e6-1ce0ba46582f | Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 7805a343-275c-41be-9d62-7215b96212d8 | Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 55a7f9a0-6397-7589-05ef-5ed59a8149e7 | Control physical access | CMA_0081 - Control physical access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e4b00788-7e1c-33ec-0418-d048508e095b | Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2f67e567-03db-9d1f-67dc-b6ffb91312f4 | Determine auditable events | CMA_0137 - Determine auditable events | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 63f63e71-6c3f-9add-4c43-64de23e554a7 | Manage gateways | CMA_0363 - Manage gateways | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 4a6f5cbd-6c6b-006f-2bb1-091af1441bce | Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | bd4dc286-2f30-5b95-777c-681f3a7913d3 | Establish and document change control processes | CMA_0265 - Establish and document change control processes | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 7380631c-5bf5-0e3a-4509-0873becd8a63 | Establish a configuration control board | CMA_0254 - Establish a configuration control board | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 5fc24b95-53f7-0ed1-2330-701b539b97fe | Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 | Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | db28735f-518f-870e-15b4-49623cbe3aa0 | Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 79f081c7-1634-01a1-708e-376197999289 | Review user accounts | CMA_0480 - Review user accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 1d39b5d9-0392-8954-8359-575ce1957d1a | Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2cc9c165-46bd-9762-5739-d2aae5ba90a1 | Automate account management | CMA_0026 - Automate account management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | dad8a2e9-6f27-4fc2-8933-7e99fe700c9c | Authorize remote access | CMA_0024 - Authorize remote access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Security Center | d31e5c31-63b2-4f12-887b-e49456834fa1 | Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 | Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | eb1c944e-0e94-647b-9b7e-fdb8d2af0838 | Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | ae5345d5-8dab-086a-7290-db43a3272198 | Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2f20840e-7925-221c-725d-757442753e7c | Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e | Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | d661e9eb-4e15-5ba1-6f02-cdc467db0d6c | Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 34d38ea7-6754-1838-7031-d7fd07099821 | Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 03b6427e-6072-4226-4bd9-a410ab65317e | Design an access control model | CMA_0129 - Design an access control model | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Guest Configuration | d96163de-dbe0-45ac-b803-0e9ca0f5764e | Windows machines should configure Windows Defender to update protection signatures within one day | To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 26daf649-22d1-97e9-2a8a-01b182194d59 | Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 10c4210b-3ec9-9603-050d-77e4d26c7ebb | Enforce logical access | CMA_0245 - Enforce logical access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | ed87d27a-9abf-7c71-714c-61d881889da4 | Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Storage | f81e3117-0093-4b17-8a60-82363134f0eb | Configure secure transfer of data on a storage account | Secure transfer is an option that forces storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn |
| Regulatory Compliance | 8d140e8b-76c7-77de-1d46-ed1b2e112444 | Restrict access to private keys | CMA_0445 - Restrict access to private keys | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 | Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Security Center | f85bf3e0-d513-442e-89c3-1784ad63382b | [Preview]: System updates should be installed on your machines (powered by Update Center) | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | af38215f-70c4-0cd6-40c2-c52d86690a45 | Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Security Center | 951c1558-50a5-4ca3-abb6-a93e3e2367a6 | Configure Microsoft Defender for SQL to be enabled on Synapse workspaces | Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn |
| Regulatory Compliance | b11697e8-9515-16f1-7a35-477d5c8a1344 | Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 48c816c5-2190-61fc-8806-25d6f3df162f | Monitor access across the organization | CMA_0376 - Monitor access across the organization | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | f96d2186-79df-262d-3f76-f371e3b71798 | Review user privileges | CMA_C1039 - Review user privileges | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | b2d3e5a2-97ab-5497-565a-71172a729d93 | Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 7c7032fe-9ce6-9092-5890-87a1a3755db1 | Retain terminated user data | CMA_0455 - Retain terminated user data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 | Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | efef28d0-3226-966a-a1e8-70e89c1b30bc | Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 | Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 6f1de470-79f3-1572-866e-db0771352fc8 | Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Guest Configuration | b3248a42-b1c1-41a4-87bc-8bad3d845589 | Windows machines should enable Windows Defender Real-time protection | Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2c6bee3a-2180-2430-440d-db3c7a849870 | Document security operations | CMA_0202 - Document security operations | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 | Update antivirus definitions | CMA_0517 - Update antivirus definitions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 6625638f-3ba1-7404-5983-0ea33d719d34 | Review audit data | CMA_0466 - Review audit data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 97d91b33-7050-237b-3e23-a77d57d84e13 | Issue public key certificates | CMA_0347 - Issue public key certificates | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 | Define a physical key management process | CMA_0115 - Define a physical key management process | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | c7fddb0e-3f44-8635-2b35-dc6b8e740b7c | Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | c0559109-6a27-a217-6821-5a6d44f92897 | Maintain integrity of audit system | CMA_C1133 - Maintain integrity of audit system | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | b8dad106-6444-5f55-307e-1e1cc9723e39 | Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 333b4ada-4a02-0648-3d4d-d812974f1bb2 | Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 0e696f5a-451f-5c15-5532-044136538491 | Protect audit information | CMA_0401 - Protect audit information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | ece8bb17-4080-5127-915f-dc7267ee8549 | Verify security functions | CMA_C1708 - Verify security functions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 50e81644-923d-33fc-6ebb-9733bc8d1a06 | Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e336d5f4-4d8f-0059-759c-ae10f63d1747 | Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | f476f3b0-4152-526e-a209-44e5f8c968d7 | Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 3d399cf3-8fc6-0efc-6ab0-1412f1198517 | Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Storage | 13502221-8df0-4414-9937-de9c5c4e396b | Configure your Storage account public access to be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn |
| Regulatory Compliance | 83dfb2b8-678b-20a0-4c44-5c75ada023e6 | Document mobility training | CMA_0191 - Document mobility training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 | Define cryptographic use | CMA_0120 - Define cryptographic use | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 518eafdd-08e5-37a9-795b-15a8d798056d | Provide privacy training | CMA_0415 - Provide privacy training | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 | Notify when account is not needed | CMA_0383 - Notify when account is not needed | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e435f7e3-0dd9-58c9-451f-9b44b96c0232 | Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | b1666a13-8f67-9c47-155e-69e027ff6823 | Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 86ecd378-a3a0-5d5b-207c-05e6aaca43fc | Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 056a723b-4946-9d2a-5243-3aa27c4d31a1 | Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | fad161f5-5261-401a-22dd-e037bae011bd | Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 058e9719-1ff9-3653-4230-23f76b6492e0 | Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e3905a3c-97e7-0b4f-15fb-465c0927536f | Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 3ad7f0bc-3d03-0585-4d24-529779bb02c2 | Maintain availability of information | CMA_C1644 - Maintain availability of information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 33832848-42ab-63f3-1a55-c0ad309d44cd | Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 2b4e134f-1e4c-2bff-573e-082d85479b6e | Develop an incident response plan | CMA_0145 - Develop an incident response plan | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 1bc7fd64-291f-028e-4ed6-6e07886e163f | Employ least privilege access | CMA_0212 - Employ least privilege access | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e23444b9-9662-40f3-289e-6d25c02b48fa | Review label activity and analytics | CMA_0474 - Review label activity and analytics | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | aeed863a-0f56-429f-945d-8bb66bd06841 | Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | Windows machines should schedule Windows Defender to perform a scheduled scan every day | To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 | Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Guest Configuration | 2454bbee-dc19-442f-83fc-7f3114cafd91 | Windows machines should use the default NTP server | Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 49c23d9b-02b0-0e42-4f94-e8cef1b8381b | Audit user account status | CMA_0020 - Audit user account status | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | de770ba6-50dd-a316-2932-e0d972eaa734 | Require approval for account creation | CMA_0431 - Require approval for account creation | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 32f22cfa-770b-057c-965b-450898425519 | Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 3c9aa856-6b86-35dc-83f4-bc72cec74dea | Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | e714b481-8fac-64a2-14a9-6f079b2501a4 | Use privileged identity management | CMA_0533 - Use privileged identity management | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 873895e8-0e3a-6492-42e9-22cd030e9fcd | Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| Regulatory Compliance | 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 | Control information flow | CMA_0079 - Control information flow | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-09-02 16:33:37 | BuiltIn | |
| App Service | 0f98368e-36bc-4716-8ac2-8f8067203b63 | Configure App Service apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (2.0.0 > 3.0.0) | 2022-08-26 16:33:38 | BuiltIn | |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Storage | b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb | Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-08-26 16:33:38 | BuiltIn | |
| Regulatory Compliance | 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 | Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Storage | 6f8f98a4-f108-47cb-8e98-91a0d85cd474 | [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace | Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) | 2022-08-26 16:33:38 | BuiltIn |
| Storage | 59759c62-9a22-4cdf-ae64-074495983fef | Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, new suffix: preview (1.1.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, new suffix: preview (1.1.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Security Center | e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 | [Deprecated]: Configure Microsoft Defender for APIs should be enabled | This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Storage | 2fb86bf3-d221-43d1-96d1-2434af34eaa0 | Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Key Vault | 951af2fa-529b-416e-ab6e-066fd85ac459 | Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.1) | 2022-08-26 16:33:38 | BuiltIn |
| Storage | 25a70cc8-2bd4-47f1-90b6-1478e4662c96 | Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, new suffix: preview (1.1.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Regulatory Compliance | 9622aaa9-5c49-40e2-5bf8-660b7cd23deb | Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Regulatory Compliance | 7d7a8356-5c34-9a95-3118-1424cfaf192a | Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Security Center | 7926a6d1-b268-4586-8197-e8ae90c877d7 | Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| App Service | ae1b9a8c-dfce-4605-bd91-69213b4a26fc | App Service app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Batch | c520cefc-285f-40f3-86e2-2efc38ef1f64 | Configure Batch accounts to disable public network access | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-08-26 16:33:38 | BuiltIn |
| Regulatory Compliance | f26af0b1-65b6-689a-a03f-352ad2d00f98 | Audit privileged functions | CMA_0019 - Audit privileged functions | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| Storage | 7bd000e3-37c7-4928-9f31-86c4b77c5c45 | Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Machine Learning | 679ddf89-ab8f-48a5-9029-e76054077449 | Azure Machine Learning Compute Instance should have idle shutdown. | Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn | |
| Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, new suffix: preview (1.0.0 > 1.1.1-preview) | 2022-08-26 16:33:38 | BuiltIn |
| App Service | a18c77f2-3d6d-497a-9f61-849a7e8a3b79 | Configure App Service app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2022-08-26 16:33:38 | BuiltIn |
| Azure Load Testing | 65c4f833-1f2e-426c-8780-f6d7593bed7a | Azure load testing resource should use customer-managed keys to encrypt data at rest | Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn | |
| Kubernetes | 2630c91f-8a20-8f43-14a2-2485b648e2a9 | Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | bf1a31be-3b79-5ba8-c9e0-9a8c9ad9f749 | Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | 9e980dca-f3e1-8da3-6717-ad37b1ca6b27 | Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | 5174c1db-ca42-e0d4-b320-4f1cf6a1fa93 | Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | b6c7fd52-4723-5f4d-a157-3d39bd16a1d7 | Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.2.0) | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | 83ea2fd1-9eaf-2f6d-f672-cd7b2ac798f6 | Configure Kubernetes clusters with Flux v2 configuration using public Git repository | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | f9175d5f-abc8-1dc3-bd3c-5d7476ada3d1 | Configure installation of Flux extension on Kubernetes cluster | Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Kubernetes | b8c1d6c1-6137-97c6-9c34-d4627e54ca26 | Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-08-19 16:33:23 | BuiltIn |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (2.0.0 > 2.2.0) | 2022-08-19 16:33:23 | BuiltIn |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-12 16:33:43 | BuiltIn | |
| Network | a58ac66d-92cb-409c-94b8-8e48d7a96596 | Azure firewall policy should enable TLS inspection within application rules | Enabling TLS inspection is recommended for all application rules to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-08-12 16:33:43 | BuiltIn | |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.0.1 > 4.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.1 > 3.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-08-12 16:33:43 | BuiltIn |
| Security Center | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | e3e008c3-56b9-4133-8fd7-d3347377402a | Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | 187242f4-89c6-4c43-9a4e-188c0efacc5f | Resource logs should be enabled for Audit on supported resources | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Modify Allowed Disabled, Modify |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | 339353f6-2387-4a45-abe4-7f529d121046 | Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Major (2.0.1 > 3.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-09 17:24:03 | BuiltIn |
| Cosmos DB | a63cc0bd-cda4-4178-b705-37dc439d3e0f | Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (5.1.1-preview > 5.2.0-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Network Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | 931e118d-50a1-4457-a5e4-78550e086c52 | Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-08-09 17:24:03 | BuiltIn |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (2.1.0 > 2.1.1) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Security Center | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Audit Allowed Audit, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2022-08-09 17:24:03 | BuiltIn |
| Service Bus | cbd11fd3-3002-4907-b6c8-579f0e700e13 | Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-08-09 17:24:03 | BuiltIn | |
| Security Center | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-08-05 16:32:22 | BuiltIn | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-08-05 16:32:22 | BuiltIn | |
| Azure Ai Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-08-05 16:32:22 | BuiltIn | |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (2.0.1 > 3.0.0) | 2022-08-05 16:32:22 | BuiltIn |
| Lab Services | 3e13d504-9083-4912-b935-39a085db2249 | Lab Services should restrict allowed virtual machine SKU sizes | This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-07-29 16:32:46 | BuiltIn | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2022-07-29 16:32:46 | BuiltIn |
| Container Apps | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Container Apps | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Container Apps | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) | 2022-07-29 16:32:46 | BuiltIn |
| Lab Services | 0fd9915e-cab3-4f24-b200-6e20e1aa276a | Lab Services should require non-admin user for labs | This policy requires non-admin user accounts to be created for the labs managed through lab-services. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-07-29 16:32:46 | BuiltIn | |
| Lab Services | e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | Lab Services should not allow template virtual machines for labs | This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-07-29 16:32:46 | BuiltIn | |
| Compute | 8405fdab-1faf-48aa-b702-999c9c172094 | Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-29 16:32:46 | BuiltIn | |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.1 > 1.0.2) | 2022-07-29 16:32:46 | BuiltIn | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2022-07-29 16:32:46 | BuiltIn |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (2.1.0 > 2.1.1) | 2022-07-29 16:32:46 | BuiltIn |
| Container Apps | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Machine Learning | e413671a-dd10-4cc1-a943-45b598596cb7 | Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility | Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-29 16:32:46 | BuiltIn | |
| Lab Services | a6e9cf2d-7d76-440e-b795-8da246bd3aab | Lab Services should enable all options for auto shutdown | This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-07-29 16:32:46 | BuiltIn | |
| Compute | 8426280e-b5be-43d9-979e-653d12a08638 | Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-07-29 16:32:46 | BuiltIn |
| Container Apps | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-29 16:32:46 | BuiltIn | |
| Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.3 > 2.0.0) | 2022-07-26 16:32:46 | BuiltIn | |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major (3.1.1 > 4.0.0) | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-07-26 16:32:46 | BuiltIn |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Network Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-07-26 16:32:46 | BuiltIn |
| SQL | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-22 16:34:49 | BuiltIn |
| SQL | 80ed5239-4122-41ed-b54a-6f1fa7552816 | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-22 16:34:49 | BuiltIn |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-22 16:34:49 | BuiltIn | |
| SQL | 9dfea752-dd46-4766-aed1-c355fa93fb91 | Azure SQL Managed Instances should disable public network access | Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-22 16:34:49 | BuiltIn | |
| Azure Active Directory | 7e4301f9-5f32-4738-ad9f-7ec2d15563ad | Configure Private Link for Azure AD to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-07-22 16:34:49 | BuiltIn |
| Azure Active Directory | b923afcf-4c3a-4ed6-8386-1ff64b68de47 | Configure Private Link for Azure AD with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-07-22 16:34:49 | BuiltIn |
| SQL | db048e65-913c-49f9-bb5f-1084184671d3 | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-22 16:34:49 | BuiltIn |
| Azure Active Directory | 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 | Azure Active Directory should use private link to access Azure services | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-07-22 16:34:49 | BuiltIn | |
| SQL | 6134c3db-786f-471e-87bc-8f479dc890f6 | Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Fixed DeployIfNotExists |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2022-07-22 16:34:49 | BuiltIn |
| Container Instance | 8af8f826-edcb-4178-b35f-851ea6fea615 | Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-07-15 16:32:44 | BuiltIn | |
| Health Bot | 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0 | Azure Health Bots should use customer-managed keys to encrypt data at rest | Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-07-15 16:32:44 | BuiltIn | |
| Container Registry | 785596ed-054f-41bc-aaec-7f3d0ba05725 | Configure container registries to disable ARM audience token authentication. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-07-15 16:32:44 | BuiltIn |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-15 16:32:44 | BuiltIn | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2022-07-15 16:32:44 | BuiltIn | |
| Container Registry | 42781ec6-6127-4c30-bdfa-fb423a0047d3 | Container registries should have ARM audience token authentication disabled. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-15 16:32:44 | BuiltIn | |
| Fluid Relay | 46388f67-373c-4018-98d3-2b83172dd13a | Fluid Relay should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (6.1.2-preview > 7.0.0-preview) | 2022-07-08 16:32:07 | BuiltIn |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.1.0 > 7.0.0) | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.1.0 > 7.0.0) | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.0.3-preview > 2.0.0-preview) | 2022-07-08 16:32:07 | BuiltIn | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (4.0.1 > 4.1.0) | 2022-07-08 16:32:07 | BuiltIn |
| API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (4.0.1 > 4.1.0) | 2022-07-08 16:32:07 | BuiltIn |
| Guest Configuration | 828ba269-bf7f-4082-83dd-633417bc391d | Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines | Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2022-07-08 16:32:07 | BuiltIn |
| Internet of Things | c854b0f0-02d0-4f94-9b42-fd175fbd4d49 | Deploy - Configure IoT Central with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.2.0 > 6.2.1) | 2022-07-08 16:32:07 | BuiltIn | |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (2.0.0 > 2.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.1 > 2.1.0) | 2022-07-08 16:32:07 | BuiltIn |
| Internet of Things | 5b9d063f-c5fd-4750-a489-1258d1fefcbf | Configure Azure Device Update for IoT Hub accounts with private endpoint | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-07-08 16:32:07 | BuiltIn |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2022-07-08 16:32:07 | BuiltIn | |
| API Management | c15dcc82-b93c-4dcb-9332-fbf121685b54 | API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Internet of Things | d627d7c6-ded5-481a-8f2e-7e16b1e6faf6 | Deploy - Configure IoT Central to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn |
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Internet of Things | cd870362-211d-4cad-9ad9-11e5ea4ebbc1 | Public network access should be disabled for IoT Central | To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.3.1 > 4.0.0) | 2022-07-08 16:32:07 | BuiltIn | |
| Azure Databricks | 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn | |
| Network | 632d3993-e2c0-44ea-a7db-2eca131f356d | Web Application Firewall (WAF) should enable all firewall rules for Application Gateway | Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn | |
| API Management | 549814b6-3212-4203-bdc8-1548d342fb67 | API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.2.0 > 7.0.0) | 2022-07-08 16:32:07 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.1 > 5.0.0) | 2022-07-08 16:32:07 | BuiltIn | |
| Internet of Things | d02e48d5-28d9-40d3-8ab8-301932a6f9cb | Modify - Configure IoT Central to disable public network access | Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (5.0.3-preview > 6.0.0-preview) | 2022-07-08 16:32:07 | BuiltIn | |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.1 > 2.1.0) | 2022-07-08 16:32:07 | BuiltIn |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2022-07-08 16:32:07 | BuiltIn |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-08 16:32:07 | BuiltIn | |
| Internet of Things | 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944 | IoT Central should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-07-08 16:32:07 | BuiltIn | |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | [Deprecated]: FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.1 > 5.0.2) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.1.1 > 4.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.1 > 5.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 324c7761-08db-4474-9661-d1039abc92ee | [Deprecated]: API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.2.0 > 8.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | [Deprecated]: Latest TLS version should be used in your API App | Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | App Service apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Function apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.1 > 6.0.2) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | e9c8d085-d9cc-4b17-9cdc-059f1f01f19e | [Deprecated]: Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | cb510bfd-1cba-4d9f-a230-cb0976f4bb71 | App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.2.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | b318f84a-b872-429b-ac6d-a01b96814452 | Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, new suffix: preview (5.0.2 > 5.0.3-preview) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | [Deprecated]: Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.1 > 5.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | fb74e86f-d351-4b8d-b034-93da7391c01f | App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 687aa49d-0982-40f8-bf6b-66d1da97a04b | App Service apps should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch, new suffix: preview (6.1.1 > 6.1.2-preview) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | [Deprecated]: CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (2.0.0 > 3.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-07-01 16:32:34 | BuiltIn |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | [Deprecated]: Managed identity should be used in your API App | Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-07-01 16:32:34 | BuiltIn | |
| App Service | 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 | App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-07-01 16:32:34 | BuiltIn | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (8.0.0 > 9.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-06-24 19:15:47 | BuiltIn |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2022-06-24 19:15:47 | BuiltIn |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-06-24 19:15:47 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (8.0.0 > 9.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2022-06-24 19:15:47 | BuiltIn |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (4.0.0 > 5.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Patch, old suffix: preview (1.0.2-preview > 1.0.3) | 2022-06-24 19:15:47 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch, old suffix: preview (6.1.0-preview > 6.1.1) | 2022-06-24 19:15:47 | BuiltIn |
| Kubernetes | 46238e2f-3f6f-4589-9f3f-77bed4116e67 | Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-06-24 19:15:47 | BuiltIn | |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-06-24 19:15:47 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (5.0.1-preview > 5.0.2) | 2022-06-24 19:15:47 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (8.0.0 > 9.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (8.0.0 > 9.0.0) | 2022-06-24 19:15:47 | BuiltIn |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.0.0 > 3.1.0) | 2022-06-24 19:15:47 | BuiltIn |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch, old suffix: preview (3.1.0-preview > 3.1.1) | 2022-06-24 19:15:47 | BuiltIn |
| Machine Learning | Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess | Deny public access of Azure Machine Learning clusters via SSH | Deny public access of Azure Machine Learning clusters via SSH. | Default Deny Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2022-06-17 17:16:31 | ALZ | |
| Storage | Deploy-Storage-sslEnforcement | Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS | Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Storage Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDHostPools | Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDWorkspace | Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace | Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-AVDScalingPlans | Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace | Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-Bastion | Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace | Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-MlWorkspace | Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace | Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-06-17 17:16:31 | ALZ |
| Monitoring | Deploy-Diagnostics-WVDAppGroup | Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace | Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-17 17:16:31 | ALZ |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.1 > 6.0.2) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.0 > 6.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.1.0 > 3.1.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.3.0 > 3.3.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.2.0 > 4.2.1) | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | c15dcc82-b93c-4dcb-9332-fbf121685b54 | API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.2.0 > 8.0.0) | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.2.0 > 4.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.2.0 > 4.2.1) | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.2.0 > 4.2.1) | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | 549814b6-3212-4203-bdc8-1548d342fb67 | API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-06-17 16:31:08 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.2.0 > 2.0.0) | 2022-06-17 16:31:08 | BuiltIn | |
| Storage | a06d0189-92e8-4dba-b0c4-08d7669fce7d | Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-10 16:31:21 | BuiltIn |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.0.1-preview > 6.1.0-preview) | 2022-06-10 16:31:21 | BuiltIn | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2022-06-10 16:31:21 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.2.0 > 4.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Key Vault | 405c5871-3e91-4644-8a63-58e19d68ff5b | Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-06-10 16:31:21 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.0 > 5.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Major (2.1.1 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (7.1.0 > 8.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Storage | b2982f36-99f2-4db5-8eff-283140c09693 | Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-10 16:31:21 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (2.1.0 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.1.0 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2022-06-10 16:31:21 | BuiltIn | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (2.1.1 > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, old suffix: preview (2.0.0-preview > 3.0.0) | 2022-06-10 16:31:21 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | 2022-06-10 16:31:21 | BuiltIn | |
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01dc | Configure key vaults to enable firewall | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Modify Allowed Modify, Disabled |
count: 001 •Key Vault Contributor |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.1) | 2022-06-10 16:31:21 | BuiltIn |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Guest Configuration | e79ffbda-ff85-465d-ab8e-7e58a557660f | [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.2.0 > 4.0.0) | 2022-06-07 16:30:19 | BuiltIn | |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-06-07 16:30:19 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Guest Configuration | 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2022-06-07 16:30:19 | BuiltIn | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2022-06-07 16:30:19 | BuiltIn | |
| App Service | b7ddfbdc-1260-477d-91fd-98bd9be789a6 | [Deprecated]: API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.2.0 > 3.0.0) | 2022-06-07 16:30:19 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor, suffix remains equal (3.0.3-preview > 3.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (5.0.1-preview > 5.1.1-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2022-06-07 16:30:19 | BuiltIn | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-06-07 16:30:19 | BuiltIn | |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2022-06-07 16:30:19 | BuiltIn |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-06-07 16:30:19 | BuiltIn |
| Storage | d847d34b-9337-4e2d-99a5-767e5ac9c582 | Configure a private DNS Zone ID for blob_secondary groupID | Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | b2982f36-99f2-4db5-8eff-283140c09693 | Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn | |
| Maps | 50553764-7777-43cf-bf12-8647e0b9ba01 | CORS should not allow every resource to access your map account. | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account. | Default Audit Allowed Disabled, Audit, Deny |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.0 > 5.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Storage | 90bd4cb3-9f59-45f7-a6ca-f69db2726671 | Configure a private DNS Zone ID for dfs_secondary groupID | Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | a06d0189-92e8-4dba-b0c4-08d7669fce7d | Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •Storage Account Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.0 > 5.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Compute | 2835b622-407b-4114-9198-6f7064cbe0dc | Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-05-27 20:20:35 | BuiltIn |
| Storage | 83c6fe0f-2316-444a-99a1-1ecd8a7872ca | Configure a private DNS Zone ID for dfs groupID | Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.1.0 > 4.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Compute | 9b597639-28e4-48eb-b506-56b05d366257 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Storage | bcff79fb-2b0d-47c9-97e5-3023479b00d1 | Configure a private DNS Zone ID for queue groupID | Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | 6df98d03-368a-4438-8730-a93c4d7693d6 | Configure a private DNS Zone ID for file groupID | Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | c1d634a5-f73d-4cdd-889f-2cc7006eb47f | Configure a private DNS Zone ID for table_secondary groupID | Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2022-05-27 20:20:35 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.3.0 > 7.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Storage | d19ae5f1-b303-4b82-9ca8-7682749faf0c | Configure a private DNS Zone ID for web_secondary groupID | Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6 | Configure a private DNS Zone ID for queue_secondary groupID | Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed deployIfNotExists |
count: 001 •Guest Configuration Resource Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-05-27 20:20:35 | BuiltIn |
| Storage | 75973700-529f-4de2-b794-fb9b6781b6b0 | Configure a private DNS Zone ID for blob groupID | Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Storage | 028bbd88-e9b5-461f-9424-a1b63a7bee1a | Configure a private DNS Zone ID for table groupID | Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.1.0 > 6.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Storage | 9adab2a5-05ba-4fbd-831a-5bf958d04218 | Configure a private DNS Zone ID for web groupID | Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-05-27 20:20:35 | BuiltIn |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.2.0 > 5.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2022-05-27 20:20:35 | BuiltIn |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.2.0 > 6.0.0) | 2022-05-27 20:20:35 | BuiltIn | |
| Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.3.0 > 2.0.0) | 2022-05-23 08:52:47 | BuiltIn | |
| Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Web PubSub | eb907f70-7514-460d-92b3-a5ae93b4f917 | Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| SignalR | 2393d2cf-a342-44cd-a2e2-fe0188fd1234 | Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Attestation | 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 | Azure Attestation providers should disable public network access | To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn |
| Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-23 08:52:47 | BuiltIn | |
| Container Apps | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Web PubSub | ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4 | Azure Web PubSub Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Internet of Things | 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 | Configure Azure Device Update for IoT Hub accounts to disable public network access | Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn |
| Internet of Things | a222b93a-e6c2-4c01-817f-21e092455b2a | Configure Azure Device Update for IoT Hub accounts to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.2 > 2.0.0) | 2022-05-16 16:31:13 | BuiltIn | |
| Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Container Apps | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.2 > 2.0.0) | 2022-05-16 16:31:13 | BuiltIn | |
| Container Apps | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Internet of Things | 510ec8b2-cb9e-461d-b7f3-6b8678c31182 | Public network access for Azure Device Update for IoT Hub accounts should be disabled | Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Internet of Things | 5b9d063f-c5fd-4750-a489-1258d1fefcbf | Configure Azure Device Update for IoT Hub accounts with private endpoint | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn |
| Container Apps | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| SignalR | d9f1f9a9-8795-49f9-9e7b-e11db14caeb2 | Azure SignalR Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Container Apps | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| Bot Service | 5e8168db-69e3-4beb-9822-57cb59202a9d | Bot Service should have public network access disabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-05-16 16:31:13 | BuiltIn | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.2 > 2.0.0) | 2022-05-16 16:31:13 | BuiltIn | |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Major, old suffix: preview (3.1.0-preview > 4.0.0) | 2022-05-16 16:31:13 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.1 > 4.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) | 2022-05-06 16:29:23 | BuiltIn |
| Kubernetes | da6e2401-19da-4532-9141-fb8fbde08431 | Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-05-06 16:29:23 | BuiltIn | |
| Security Center | 6646a0bd-e110-40ca-bb97-84fcee63c414 | [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates | [Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2022-05-06 16:29:23 | BuiltIn | |
| Guest Configuration | 50c52fc9-cb21-4d99-9031-d6a0c613361c | [Preview]: Windows machines should meet STIG compliance requirements for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-05-06 16:29:23 | BuiltIn | |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.2.0 > 1.3.0) | 2022-05-06 16:29:23 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn | |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2022-05-06 16:29:23 | BuiltIn | |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL DB Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-05-06 16:29:23 | BuiltIn |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.1.1 > 2.0.0) | 2022-05-06 16:29:23 | BuiltIn |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-04-29 18:06:01 | BuiltIn |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (7.1.0 > 8.0.0) | 2022-04-29 18:06:01 | BuiltIn |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-04-29 18:06:01 | BuiltIn |
| Synapse | 8b5c654c-fb07-471b-aa8f-15fea733f140 | Configure Azure Synapse Workspace Dedicated SQL minimum TLS version | Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn |
| Lab Services | e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | Lab Services should not allow template virtual machines for labs | This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (7.1.0 > 8.0.0) | 2022-04-29 18:06:01 | BuiltIn |
| Web PubSub | 52630df9-ca7e-442b-853b-c6ce548b31a2 | [Deprecated]: Azure Web PubSub Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.0 > 7.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-04-29 18:06:01 | BuiltIn |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | [Deprecated]: Azure SignalR Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) | 2022-04-29 18:06:01 | BuiltIn | |
| Lab Services | 3e13d504-9083-4912-b935-39a085db2249 | Lab Services should restrict allowed virtual machine SKU sizes | This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (7.1.0 > 8.0.0) | 2022-04-29 18:06:01 | BuiltIn |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (7.1.0 > 8.0.0) | 2022-04-29 18:06:01 | BuiltIn |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.0 > 7.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Lab Services | 0fd9915e-cab3-4f24-b200-6e20e1aa276a | Lab Services should require non-admin user for labs | This policy requires non-admin user accounts to be created for the labs managed through lab-services. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.2.0 > 3.3.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Synapse | cb3738a6-82a2-4a18-b87b-15217b9deff4 | Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (5.1.0-preview > 6.0.0-preview) | 2022-04-29 18:06:01 | BuiltIn |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.2.0 > 6.3.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.0 > 6.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Lab Services | a6e9cf2d-7d76-440e-b795-8da246bd3aab | Lab Services should enable all options for auto shutdown | This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.0 > 5.2.0) | 2022-04-29 18:06:01 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-04-22 19:50:54 | BuiltIn | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-22 19:50:54 | BuiltIn | |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-04-22 19:50:54 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (4.1.0-preview > 5.1.0-preview) | 2022-04-22 19:50:54 | BuiltIn |
| Storage | fe83a0eb-a853-422d-aac2-1bffd182c5d0 | Storage accounts should have the specified minimum TLS version | Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-22 19:50:54 | BuiltIn | |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-04-22 19:50:54 | BuiltIn | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-04-22 19:50:54 | BuiltIn | |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-04-15 17:17:14 | BuiltIn |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | 2022-04-15 17:17:14 | BuiltIn | |
| Stream Analytics | ea6c4923-510a-4346-be26-1894919a5b97 | Stream Analytics job should use managed identity to authenticate endpoints | Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication. | Default Audit Allowed Deny, Disabled, Audit |
add |
new Policy | 2022-04-15 17:17:14 | BuiltIn | |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-04-15 17:17:14 | BuiltIn |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.0 > 6.2.0) | 2022-04-15 17:17:14 | BuiltIn | |
| Kubernetes | 73868911-4f4a-444f-adbd-5382bf70208a | Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed | Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2022-04-15 17:17:14 | BuiltIn |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-04-15 17:17:14 | BuiltIn |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-04-15 17:17:14 | BuiltIn |
| Network | Deny-VNET-Peering-To-Non-Approved-VNETs | Deny vNet peering to non-approved vNets | This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-04-11 11:16:38 | ALZ | |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-04-08 16:22:13 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (6.1.0 > 7.1.0) | 2022-04-08 16:22:13 | BuiltIn |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-04-08 16:22:13 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2022-04-08 16:22:13 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch (4.0.0 > 4.0.1) | 2022-04-08 16:22:13 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (6.1.0 > 7.1.0) | 2022-04-08 16:22:13 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (6.1.0 > 7.1.0) | 2022-04-08 16:22:13 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (6.1.0 > 7.1.0) | 2022-04-08 16:22:13 | BuiltIn |
| Regulatory Compliance | 106618ad-fe3e-49b4-bfef-01009f6770d8 | Microsoft Managed Control 1820 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2d045bca-a0fd-452e-9f41-4ec33769717c | Microsoft Managed Control 1068 - Wireless Access Restrictions | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.1 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | fc933d22-04df-48ed-8f87-22a3773d4309 | Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 7a1e2c88-13de-4959-8ee7-47e3d74f1f48 | Microsoft Managed Control 1708 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4152937a-1a44-401a-a179-04b44ea15f4c | Microsoft Managed Control 1733 - Senior Information Security Officer | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | ef080e67-0d1a-4f76-a0c5-fb9b0358485e | Microsoft Managed Control 1089 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (4.0.2-deprecated > 4.1.0-deprecated) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4d1d4ce2-71ea-4578-bbb4-fe76215d45ac | Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 7522ed84-70d5-4181-afc0-21e50b1b6d0e | Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2ce63a52-e47b-4ae2-adbb-6e40d967f9e6 | Microsoft Managed Control 1414 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 18573dd5-899f-453d-b069-fa77b61fe257 | Microsoft Managed Control 1870 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4e26f8c3-4bf3-4191-b8fc-d888805101b7 | Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6519d7f3-e8a2-4ff3-a935-9a9497152ad7 | Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.3 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6 | Microsoft Managed Control 1745 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 84e622c8-4bed-417c-84c6-b2fb0dd73682 | Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 12718e41-af09-43b9-b6e4-7caae73b410b | Microsoft Managed Control 1754 - Testing, Training, And Monitoring | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 426f3a87-2d38-47e9-9687-c095441cd82c | Microsoft Managed Control 1732 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | fd4a2ac8-868a-4702-a345-6c896c3361ce | Microsoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And Advisories | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1ca29e41-34ec-4e70-aba9-6248aca18c31 | Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | e54c325e-42a0-4dcf-b105-046e0f6f590f | Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 40fcc635-52a2-4dbc-9523-80a1f4aa1de6 | Microsoft Managed Control 1438 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d7d66d05-bf34-4555-b5f2-8b749def4098 | Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | ea0dfaed-95fb-448c-934e-d6e713ce393d | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4c6df994-1810-44c9-bd35-3280397cf9a6 | Microsoft Managed Control 1868 - Internal Use | Microsoft implements this Use Limitation control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f82e3639-fa2b-4e06-a786-932d8379b972 | Microsoft Managed Control 1705 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1a437f5b-9ad6-4f28-8861-de404d511ae4 | Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2d44b6fa-1134-4ea6-ad4e-9edb68f65429 | Microsoft Managed Control 1704 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d922484a-8cfc-4a6b-95a4-77d6a685407f | Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b23bd715-5d1c-4e5c-9759-9cbdf79ded9d | Microsoft Managed Control 1091 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 27a69937-af92-4198-9b86-08d355c7e59a | Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 17641f70-94cd-4a5d-a613-3d1143e20e34 | Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 | Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 59a7116d-19fd-49e9-a068-dec4460b97e5 | Microsoft Managed Control 1731 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2e5cd188-7fa8-41fc-87ff-0ac7475ccb25 | Microsoft Managed Control 1845 - Consent | Mechanisms Supporting Itemized or Tiered Consent | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1437bf9c-feef-4c82-a57a-22d1fcbcd247 | Microsoft Managed Control 1872 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1189aa19-fbcf-4b3e-b9ec-76508e2fa17b | Microsoft Managed Control 1850 - Redress | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.2 > 6.2.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 39f15e01-d964-41ee-88e3-eefbddc840cd | Microsoft Managed Control 1846 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126 | Microsoft Managed Control 1751 - Insider Threat Program | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | c6c43097-8552-4279-8b38-7dcabff781d3 | Microsoft Managed Control 1819 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Healthcare APIs | fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | CORS should not allow every domain to access your FHIR Service | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. | Default Audit Allowed audit, Audit, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.0 > 5.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 51f2fa3e-cd5f-4713-a9ce-177ee7a22d48 | Microsoft Managed Control 1828 - Data Integrity And Data Integrity Board | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | e17a106b-cf45-431e-89dc-da71e161c40c | Microsoft Managed Control 1801 - Purpose Specification | Microsoft implements this Authority and Purpose control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef | Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d39620a4-95c6-4d4f-8aa4-83c0c6a2c640 | Microsoft Managed Control 1818 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | d5f959a0-1808-4ebd-9a13-79237246f96f | Microsoft Managed Control 1861 - Privacy Notice | Real-Time or Layered Notice | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 12a4a4dd-6c65-4900-9d7e-63fed5da791e | Microsoft Managed Control 1834 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3bd6a378-4173-411d-a958-dc699b0ee2fd | Microsoft Managed Control 1737 - Plan Of Action And Milestones Process | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 6fc8115b-2008-441f-8c61-9b722c1e537f | Workbooks should be saved to storage accounts that you control | With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos | Default Audit Allowed deny, Deny, audit, Audit, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | e12494fa-b81e-4080-af71-7dbacc2da0ec | Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5f18c885-ade3-48c5-80b1-8f9216019c18 | Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 952a545c-6dc5-4999-aeb6-51ed27dc7ea5 | Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | ea979184-f7c4-42be-86d2-584b95c34540 | Microsoft Managed Control 1869 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f | Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 01524fa8-4555-48ce-ba5f-c3b8dcef5147 | Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | aac17c36-2ac1-417f-ba74-6305f2ce6ad5 | Microsoft Managed Control 1859 - Privacy Notice | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1f01608c-5f35-492d-8763-8edf0080cc38 | Microsoft Managed Control 1738 - Plan Of Action And Milestones Process | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0d87c70b-5012-48e9-994b-e70dd4b8def0 | Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 1f68a601-6e6d-4e42-babf-3f643a047ea2 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.1 > 7.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.2 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5c5e54f6-0127-44d0-8b61-f31dc8dd6190 | Microsoft Managed Control 1067 - Wireless Access Restrictions | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5fd9ced5-18e8-4c09-91b7-3725680f8ade | Microsoft Managed Control 1734 - Information Security Resources | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 58c93053-7b98-4cf0-b99f-1beb985416c2 | Microsoft Managed Control 1573 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5b61f773-2042-46a8-b489-106d850d6d4e | Microsoft Managed Control 1814 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default Audit Allowed audit, Audit, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2ef3cc79-733e-48ed-ab6f-7bf439e9b406 | Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch, suffix remains equal (3.0.2-preview > 3.0.3-preview) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 88ae1753-f34c-47c3-96af-dccb4ac052eb | Microsoft Managed Control 1830 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42 | Microsoft Managed Control 1750 - Mission/Business Process Definition | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d4de5955-e00f-414d-9c16-f569c6a99c10 | Microsoft Managed Control 1756 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3cb4787b-2c91-4aca-bf5a-577e99411c8a | Microsoft Managed Control 1825 - Data Quality | Validate PII | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 238cef2f-9f76-41fa-be5e-0899a7aad0d8 | Microsoft Managed Control 1821 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 79da5b09-0e7e-499e-adda-141b069c7998 | Microsoft Managed Control 1510 - Position Categorization | Microsoft implements this Personnel Security control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d461dd50-c8fb-4ccb-93bf-61f53b44e54d | Microsoft Managed Control 1742 - Critical Infrastructure Plan | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d78966ce-05c7-4967-829d-9a414ea2bc92 | Microsoft Managed Control 1842 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 956b00aa-7977-4214-a0f5-e0428c1f9bff | Microsoft Managed Control 1806 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4f8e271b-dfea-47e9-b81e-5519bae0b120 | Microsoft Managed Control 1852 - Compliant Management | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 80ca0a27-918a-4604-af9e-723a27ee51e8 | Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 61a1dd98-b259-4840-abd5-fbba7ee0da83 | Microsoft Managed Control 1415 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.2 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | dd469ae0-71a8-4adc-aafc-de6949ca3339 | Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6c657baf-0693-455a-8bb2-7b4bdf79fd0e | Microsoft Managed Control 1757 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3a02bf7a-8fb7-4c97-bd55-4a8592764cc8 | Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3044f5dc-93dd-4da0-b25d-bb6cedde3536 | Microsoft Managed Control 1862 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 8e903bb7-00e9-4255-a881-500742a2dbaa | Microsoft Managed Control 1843 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f355d62b-39a8-4ba3-abf7-90f71cb3b000 | Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 04f5fb00-80bb-48a9-a75b-4cb4d4c97c36 | Microsoft Managed Control 1572 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2fb740e5-cbc7-4d10-8686-d1bf826652b1 | Microsoft Managed Control 1090 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (6.1.3-deprecated > 6.2.0-deprecated) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 66632c7c-d0b3-4945-a8ae-e5c62cbea386 | Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d77fd943-6ba6-4a21-ba07-22b03e347cc4 | Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6b04f815-52d7-4ff6-94bf-a4f22c07d5ae | Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 89f2d532-c53c-4f8f-9afa-4927b1114a0d | Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757 | Microsoft Managed Control 1746 - Security Authorization Process | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.2 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3bd38f52-1833-42b2-b9aa-e1b9dcd0143b | Microsoft Managed Control 1747 - Security Authorization Process | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | a4eb2ba5-62b5-4524-83f0-7e05896edc76 | Microsoft Managed Control 1824 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 20ea0798-d19e-4925-afd0-53d583815818 | Microsoft Managed Control 1815 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 05f5163b-bd90-49eb-8b6e-c1044d0b170a | Microsoft Managed Control 1752 - Information Security Workforce | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.2 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.0.4 > 7.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2234feec-08c6-4fc9-af78-df0dcc482efd | Microsoft Managed Control 1860 - Privacy Notice | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | c055ec23-c9d1-4718-be96-433aa8108516 | Microsoft Managed Control 1826 - Data Quality | Re-Validate PII | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Internet of Things | c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 | Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Contributor •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 33cfabfd-49ce-432b-b988-aff483ca3897 | Microsoft Managed Control 1871 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | cf1cad59-1012-4b55-9b80-427596ea1f4f | Microsoft Managed Control 1867 - Dissemination of Privacy Program Information | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | f5a44e7d-77a2-474e-b2e3-4e8c42ba514b | Microsoft Managed Control 1729 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 81817e1c-5347-48dd-965a-40159d008229 | Microsoft Managed Control 1308 - User Identification And Authentication | Remote Access - Separate Device | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b083a535-a66a-41ec-ba7f-f9498bf67cde | Microsoft Managed Control 1711 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | e4df5fb7-58e9-41de-9399-f043c7a931f8 | Microsoft Managed Control 1740 - Information Security Measures Of Performance | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 38512b01-6a68-45d6-bb97-189a9a0fbe5e | Microsoft Managed Control 1849 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-04-01 20:29:14 | BuiltIn |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 66a56404-7b65-4e33-b371-28d069172dd4 | Microsoft Managed Control 1743 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0f935dab-83d6-47b8-85ef-68b8584161b9 | Microsoft Managed Control 1574 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2bfea08c-2567-4f29-aad7-0f238ce655ea | Microsoft Managed Control 1758 - Threat Awareness Program | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4c25cbd0-8776-412f-8466-5993e38ce602 | Microsoft Managed Control 1838 - Minimization of PII Used in Testing, Training, And Research | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f3739612-c86c-4b2e-bbe6-0d0869aec19c | Microsoft Managed Control 1803 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 898d4fe8-f743-4333-86b7-0c9245d93e7d | Microsoft Managed Control 1411 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.0.0 > 5.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 05a32666-d134-4842-a8cb-5c299f4bc099 | Microsoft Managed Control 1728 - Incident Handling | Microsoft implements this Incident Response control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.0 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 45b7b644-5f91-498e-9d89-7402532d3645 | Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 99efece4-6828-42a4-9577-ff06bc1c4bf4 | Microsoft Managed Control 1839 - Minimization of PII Used in Testing, Training, And Research | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 563f2ce4-2d95-44b6-b828-275a2f3cac47 | Microsoft Managed Control 1848 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 7c6de11b-5f51-4f7c-8d83-d2467c8a816e | Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4e54c7ef-7457-430b-9a3e-ef8881d4a8e0 | Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.3 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 44e543aa-41db-42aa-98eb-8a5eb1db53f0 | Microsoft Managed Control 1712 - Software & Information Integrity | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 804faf7d-b687-40f7-9f74-79e28adf4205 | Microsoft Managed Control 1703 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0c92e78e-4667-44f1-8b1d-bbc784b66950 | Microsoft Managed Control 1755 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b07c9b24-729e-4e85-95fc-f224d2d08a80 | Microsoft Managed Control 1429 - Media Labeling | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1fa50212-51a9-471b-95cf-3a23410ec9e9 | Microsoft Managed Control 1730 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 8a29d47b-8604-4667-84ef-90d203fcb305 | Microsoft Managed Control 1092 - Security Awareness | Insider Threat | Microsoft implements this Awareness and Training control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 395736bb-aa8b-45f0-b9cc-06af26b2b1d4 | Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 51d53eb3-6c02-4f3f-a608-a058af96fa6a | Microsoft Managed Control 1831 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5bef3414-50bc-4fc0-b3db-372bb8fe0796 | Microsoft Managed Control 1836 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Stream Analytics | 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08 | Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 791cfc15-6974-42a0-9f4c-2d4b82f4a78c | Microsoft Managed Control 1647 - Use of Cryptography | Microsoft implements this System and Communications Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 32d58eb6-4c76-4881-87ce-522b0e787bd0 | Microsoft Managed Control 1735 - Information Security Resources | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | ad2f8e61-a564-4dfd-8eaa-816f5be8cb34 | Microsoft Managed Control 1569 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3492d949-0dbb-4589-88b3-7b59601cc764 | Microsoft Managed Control 1412 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.2 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Managed Application | 9db7917b-1607-4e7d-a689-bca978dd0633 | Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | af2a93c8-e6dd-4c94-acdd-4a2eedfc478e | Microsoft Managed Control 1710 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d02e586f-d430-4053-b672-c14a788ad59f | Microsoft Managed Control 1823 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0b1aa965-7502-41f9-92be-3e2fe7cc392a | Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3815d34a-187d-4f30-a9fa-5ac464e3465d | Microsoft Managed Control 1736 - Information Security Resources | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | a7fcf38d-bb09-4600-be7d-825046eb162a | Microsoft Managed Control 1570 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | dce72873-c5f1-47c3-9b4f-6b8207fd5a45 | Microsoft Managed Control 1439 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4b0d8d1d-7800-4b62-b4bf-6eecde12b2af | Microsoft Managed Control 1813 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b | Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 5ec0d156-53ba-4f29-8c17-1525cde54129 | Microsoft Managed Control 1844 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | d550e854-df1a-4de9-bf44-cd894b39a95e | Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b6a8eae8-9854-495a-ac82-d2cd3eac02a6 | Microsoft Managed Control 1568 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6bfe6405-805c-4c9b-a9d3-f209237bb95d | Microsoft Managed Control 1802 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2fd50ffd-c983-4fab-862c-678b95bfaf5a | Microsoft Managed Control 1832 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 74520428-3aa8-449c-938d-93f51940759e | Microsoft Managed Control 1739 - Information System Inventory | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 58f477bf-287b-43ef-ab49-dffde92130a0 | Microsoft Managed Control 1816 - Privacy Reporting | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 91c97b44-791e-46e9-bad7-ab7c4949edbb | Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | d2fc426a-4b67-464b-87c9-2134b8762ddf | Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0dced7ab-9ce5-4137-93aa-14c13e06ab17 | Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 28e633fd-284e-4ea7-88b4-02ca157ed713 | Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed audit, Audit, disabled, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 56a838e0-0a5d-49a8-ab74-bf6be81b32f5 | Microsoft Managed Control 1835 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 669ac708-82af-46f6-8bd6-75b48247489d | Microsoft Managed Control 1864 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff | Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b92ae63b-4411-48ba-b5c9-5bcaef5f8d02 | Microsoft Managed Control 1841 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f7161f06-5260-4f0f-aeae-4bbfb8612a10 | Microsoft Managed Control 1812 - Privacy Monitoring And Auditing | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 6c53d030-cc64-46f0-906d-2bc061cd1334 | Log Analytics workspaces should block log ingestion and querying from public networks | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 9870806c-153f-4fa5-aafa-c5f5eeb72292 | Microsoft Managed Control 1741 - Enterprise Architecture | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 07458826-9325-4481-abaf-bc9ed043459d | Microsoft Managed Control 1744 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 9d9166a8-1722-4b8f-847c-2cf3f2618b3d | Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 3a09e314-dca7-4a19-b3b4-14abd6305043 | Microsoft Managed Control 1753 - Testing, Training, And Monitoring | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.2 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 1c0b3710-03dc-450a-a56a-77b85e744f0d | Microsoft Managed Control 1749 - Mission/Business Process Definition | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 68f837d0-8942-4b1e-9b31-be78b247bda8 | Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 86cd0591-5076-4447-aeff-2557def90353 | Microsoft Managed Control 1827 - Data Integrity And Data Integrity Board | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 99deec7d-5526-472e-b07c-3645a792026a | Microsoft Managed Control 1300 - User Identification And Authentication | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | fb845c34-808d-4c17-a0ce-85a530e9164b | Microsoft Managed Control 1857 - Privacy Incident Response | Microsoft implements this Security control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.1.2 > 2.2.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f475ee0e-f560-4c9b-876b-04a77460a404 | Microsoft Managed Control 1706 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 131a2706-61e9-4916-a164-00e052056462 | Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials... | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0a2119c1-f068-4bfe-9f03-db94317e8db9 | Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | aeedddb6-6bc0-42d5-809b-80048033419d | Microsoft Managed Control 1413 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b11c985b-f2cd-4bd7-85f4-b52426edf905 | Microsoft Managed Control 1571 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 881299bf-2a5b-4686-a1b2-321d33679953 | Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | f751cdb7-fbee-406b-969b-815d367cb9b3 | Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols... | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4f3b7f51-9620-4c71-b887-48a6838c68b8 | Microsoft Managed Control 1748 - Security Authorization Process | Microsoft implements this Program Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | 7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6 | Microsoft Managed Control 1807 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 71c6c2b1-78c8-4e84-9d05-9bd4db116cba | Microsoft Managed Control 1858 - Privacy Notice | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b2c2d6ed-bed8-419f-a8b7-59d736573acd | Microsoft Managed Control 1863 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2 | Microsoft Managed Control 1804 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4f26049b-2c5a-4841-9ff3-d48a26aae475 | Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.0.3 > 4.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 855ced56-417b-4d74-9d5f-dd1bc81e22d6 | Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party... | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 76ba3061-b78b-48a5-aab8-43f5ae02898d | Microsoft Managed Control 1847 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf | Microsoft Managed Control 1822 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 4edd8330-da6b-4f1e-b996-e064d8b92cb7 | Microsoft Managed Control 1833 - Minimization of Personally Identifiable Information | Locate/Remove/Redact/Anonymize PII | Microsoft implements this Data Minimization and Retention control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.1 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | cceea882-9d83-4ca6-b30e-6a7b381a8e6a | Microsoft Managed Control 1866 - Dissemination of Privacy Program Information | Microsoft implements this Transparency control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | b6747bf9-2b97-45b8-b162-3c8becb9937d | Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c | Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 9834600a-668a-482c-9310-a89861b29e06 | Microsoft Managed Control 1805 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41 | Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls | Microsoft implements this System and Services Acquisition control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | cd6120c1-d069-416d-9753-fbe84bca4b01 | Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 0f559588-5e53-4b14-a7c4-85d28ebc2234 | Microsoft Managed Control 1430 - Media Labeling | Microsoft implements this Media Protection control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 38dfd8a3-5290-4099-88b7-4081f4c4d8ae | Microsoft Managed Control 1416 - Remote Maintenance | Document Remote Maintenance | Microsoft implements this Maintenance control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Monitoring | fa298e57-9444-42ba-bf04-86e8470e32c7 | Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 71280b2a-8c2f-4480-b933-686c0987cfbb | Microsoft Managed Control 1851 - Redress | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 76f500cc-4bca-4583-bda1-6d084dc21086 | Microsoft Managed Control 1508 - Position Categorization | Microsoft implements this Personnel Security control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 2d5600ed-575a-4723-9ff4-52d694be0a59 | Microsoft Managed Control 1856 - Privacy Incident Response | Microsoft implements this Security control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 70792197-9bfc-4813-905a-bd33993e327f | Microsoft Managed Control 1509 - Position Categorization | Microsoft implements this Personnel Security control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 09828c65-e323-422b-9774-9d5c646124da | Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 6f29a2f0-ca59-4bdc-97a7-a8d593b60108 | Microsoft Managed Control 1853 - Compliant Management | Response Times | Microsoft implements this Individual Participation and Redress control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 65c11daf-e754-406e-8d7b-f337dbd46a4f | Microsoft Managed Control 1800 - Authority to Collect | Microsoft implements this Authority and Purpose control | Fixed audit |
add |
new Policy | 2022-04-01 20:29:14 | BuiltIn | |
| Regulatory Compliance | 025992d6-7fee-4137-9bbf-2ffc39c0686c | Microsoft Managed Control 1709 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (6.0.0 > 6.1.0) | 2022-04-01 20:29:14 | BuiltIn |
| Regulatory Compliance | baff1279-05e0-4463-9a70-8ba5de4c7aa4 | Microsoft Managed Control 1726 - Information Output Handling And Retention | Microsoft implements this System and Information Integrity control | Fixed audit |
change |
Patch (1.0.0 > 1.0.1) | 2022-04-01 20:29:14 | BuiltIn | |
| CDN | daba2cce-8326-4af3-b049-81a362da024d | Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service | Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-03-25 18:52:24 | BuiltIn | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-03-25 18:52:24 | BuiltIn |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-03-25 18:52:24 | BuiltIn | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.1 > 2.1.1) | 2022-03-25 18:52:24 | BuiltIn |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Minor (2.0.1 > 2.1.1) | 2022-03-25 18:52:24 | BuiltIn |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-03-25 18:52:24 | BuiltIn | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2022-03-25 18:52:24 | BuiltIn |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-03-25 18:52:24 | BuiltIn | |
| CDN | dfc212af-17ea-423a-9dcb-91e2cb2caa6b | Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link | Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-03-25 18:52:24 | BuiltIn | |
| CDN | 679da822-78a7-4eff-8fff-a899454a9970 | Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-03-25 18:52:24 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Patch, suffix remains equal (3.0.1-preview > 3.0.2-preview) | 2022-03-25 18:52:24 | BuiltIn |
| Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-03-18 17:53:47 | BuiltIn |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-03-18 17:53:47 | BuiltIn |
| Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration | AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-03-18 17:53:47 | BuiltIn | |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (1.3.0 > 2.0.0) | 2022-03-18 17:53:47 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.0.1 > 2.1.0) | 2022-03-18 17:53:47 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2022-03-18 17:53:47 | BuiltIn |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-03-18 17:53:47 | BuiltIn |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-03-18 17:53:47 | BuiltIn |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.1-preview) | 2022-03-18 17:53:47 | BuiltIn |
| Storage | 06695360-db88-47f6-b976-7500d4297475 | Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •Private DNS Zone Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2022-03-18 17:53:47 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-03-18 17:53:47 | BuiltIn |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Major (1.3.0 > 2.0.0) | 2022-03-18 17:53:47 | BuiltIn |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn | |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn | |
| Security Center | 82bf5b87-728b-4a74-ba4d-6123845cf542 | Configure Microsoft Defender for Azure Cosmos DB to be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn |
| Synapse | 32ba8d30-07c0-4136-ab18-9a11bf4a67b7 | Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Owner |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Major (1.0.0 > 2.0.0) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major (1.0.0 > 2.0.0) | 2022-03-11 18:16:48 | BuiltIn |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2022-03-11 18:16:48 | BuiltIn |
| SQL | 25da7dfb-0666-4a15-a8f5-402127efd8bb | Configure SQL servers to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •SQL Security Manager |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (3.0.0 > 4.0.0) | 2022-03-11 18:16:48 | BuiltIn |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.2 > 6.0.0) | 2022-03-11 18:16:48 | BuiltIn | |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.1 > 2.0.0) | 2022-03-11 18:16:48 | BuiltIn | |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.2 > 5.0.0) | 2022-03-11 18:16:48 | BuiltIn | |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2022-03-11 18:16:48 | BuiltIn | |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Security Center | adbe85b5-83e6-4350-ab58-bf3a4f736e5e | Microsoft Defender for Azure Cosmos DB should be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn | |
| Backup | 8015d6ed-3641-4534-8d0b-5c67b67ff7de | [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (3.0.0 > 3.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Major (1.0.0 > 2.0.0) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-03-11 18:16:48 | BuiltIn |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | 2022-03-11 18:16:48 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.2 > 5.0.0) | 2022-03-11 18:16:48 | BuiltIn | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-03-11 18:16:48 | BuiltIn | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Storage | 7c322315-e26d-4174-a99e-f49d351b4688 | Table Storage should use customer-managed key for encryption | Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn | |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed auditIfNotExists |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Security Center | cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 | [Deprecated]: Sensitive data in your SQL databases should be classified | Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) | 2022-02-18 17:44:00 | BuiltIn | |
| Stream Analytics | fe8684d6-3c5b-45c0-a08b-fa92653c2e1c | Stream Analytics job should connect to trusted inputs and outputs | Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. | Default Audit Allowed Deny, Disabled, Audit |
change |
Minor (1.0.0 > 1.1.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed auditIfNotExists |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed auditIfNotExists |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Storage | f0e5abd0-2554-4736-b7c0-4ffef23475ef | Queue Storage should use customer-managed key for encryption | Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (3.0.2 > 3.1.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed auditIfNotExists |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Major (3.0.0 > 4.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2022-02-18 17:44:00 | BuiltIn |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed auditIfNotExists |
change |
Major (2.0.0 > 3.0.0) | 2022-02-18 17:44:00 | BuiltIn | |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-18 17:44:00 | BuiltIn |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.2.0) | 2022-02-18 17:44:00 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Minor (2.0.0 > 2.1.0) | 2022-02-18 17:44:00 | BuiltIn |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-02-11 18:30:22 | BuiltIn |
| Storage | 7c6c7139-7d8e-45d0-9d94-72386a61308b | Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption | Only allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) | 2022-02-11 18:30:22 | BuiltIn |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| Container Registry | 9f2dea28-e834-476c-99c5-3507b4728395 | Container registries should have anonymous authentication disabled. | Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Storage | 16f4af95-96b1-4220-805a-367ca59cd72e | Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacy | Ensure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Container Registry | dc921057-6b28-4fbe-9b83-f7bec05db6c2 | Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-02-11 18:30:22 | BuiltIn | |
| Container Registry | a9b426fe-8856-4945-8600-18c5dd1cca2a | Configure container registries to disable repository scoped access token. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-02-11 18:30:22 | BuiltIn |
| Storage | ddcf4b94-9dfa-4a80-aca6-22bb654fde72 | Azure NetApp Files SMB Volumes should use SMB3 encryption | Disallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-02-11 18:30:22 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (5.0.0 > 6.0.0) | 2022-02-11 18:30:22 | BuiltIn |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| Container Registry | cced2946-b08a-44fe-9fd9-e4ed8a779897 | Configure container registries to disable anonymous authentication. | Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-02-11 18:30:22 | BuiltIn | |
| Container Registry | ff05e24e-195c-447e-b322-5e90c9f9f366 | Container registries should have repository scoped access token disabled. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Storage | d558e1a6-296d-4fbb-81a5-ea25822639f6 | Azure NetApp Files Volumes should not use NFSv3 protocol type | Disallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn | |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-11 18:30:22 | BuiltIn |
| Container Registry | 79fdfe03-ffcb-4e55-b4d0-b925b8241759 | Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2022-02-11 18:30:22 | BuiltIn |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-04 18:25:37 | BuiltIn | |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-02-04 18:25:37 | BuiltIn |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (2.0.0 > 3.0.0) | 2022-02-04 18:25:37 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-02-04 18:25:37 | BuiltIn |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-02-04 18:25:37 | BuiltIn |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-02-04 18:25:37 | BuiltIn | |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2022-02-04 18:25:37 | BuiltIn | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2022-02-04 18:25:37 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (2.0.1 > 3.0.0) | 2022-02-04 18:25:37 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-02-04 18:25:37 | BuiltIn |
| Automanage | 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc | Hotpatch should be enabled for Windows Server Azure Edition VMs | Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-02-04 18:25:37 | BuiltIn | |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2022-02-04 18:25:37 | BuiltIn |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-02-04 18:25:37 | BuiltIn | |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Major, suffix remains equal (2.2.0-preview > 3.0.0-preview) | 2022-02-04 18:25:37 | BuiltIn |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Major (1.1.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.2.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.2.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.3.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.2.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (1.2.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | ebb67efd-3c46-49b0-adfe-5599eb944998 | Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 630ac30f-a234-4533-ac2d-e0df77acda51 | Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.1 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.2.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 84662df4-0e37-44a6-9ce1-c9d2150db18c | Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.1.1 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.2 > 4.0.3) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 1417908b-4bff-46ee-a2a6-4acc899320ab | Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | f79fef0d-0050-4c18-a303-5babb9c14ac7 | Windows machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | beb6ccee-b6b8-4e91-9801-a5fa4260a104 | Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 4221adbc-5c0f-474f-88b7-037a99e6114c | Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | c5b85cba-6e6f-4de4-95e1-f0233cd712ac | Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 6265018c-d7e2-432f-a75d-094d5f6f4465 | Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | Fixed auditIfNotExists |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Monitoring | 594c1276-f44f-482d-9910-71fac2ce5ae0 | [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.2.0 > 4.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | da0f98fe-a24b-4ad5-af69-bd0400233661 | Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.1.0 > 4.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | bf16e0bb-31e1-4646-8202-60a235cc7e74 | Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2022-01-28 17:51:01 | BuiltIn | |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-01-21 21:53:22 | BuiltIn |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.2 > 4.0.3) | 2022-01-21 21:53:22 | BuiltIn | |
| General | 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 | [Deprecated]: Custom subscription owner roles should not exist | This policy is deprecated. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-01-21 21:53:22 | BuiltIn | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2022-01-21 21:53:22 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-21 21:53:22 | BuiltIn | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, new suffix: version (4.1.0 > 4.1.0-version-deprecated) | 2022-01-21 21:53:22 | BuiltIn |
| Azure Edge Hardware Center | 08a6b96f-576e-47a2-8511-119a212d344d | Azure Edge Hardware Center devices should have double encryption support enabled | Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-14 17:44:09 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-01-14 17:44:09 | BuiltIn | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2022-01-14 17:44:09 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (3.1.0-preview > 4.0.0-preview) | 2022-01-14 17:44:09 | BuiltIn | |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-01-07 18:14:35 | BuiltIn | |
| Internet of Things | 27d4c5ec-8820-443f-91fe-1215e96f64b2 | Azure Device Update for IoT Hub accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2022-01-07 18:14:35 | BuiltIn | |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2022-01-07 18:14:35 | BuiltIn | |
| Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2022-01-07 18:14:35 | BuiltIn |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2022-01-07 18:14:35 | BuiltIn | |
| App Service | b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 | [Deprecated]: Diagnostic logs in App Services should be enabled | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2022-01-07 18:14:35 | BuiltIn | |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2022-01-07 18:14:35 | BuiltIn | |
| Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-01-07 18:14:35 | BuiltIn |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, new suffix: deprecated (6.1.2 > 6.1.3-deprecated) | 2022-01-07 18:14:35 | BuiltIn | |
| Azure Purview | 9259053b-ddb8-40ab-842a-0aef19d0ade4 | Azure Purview accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2022-01-07 18:14:35 | BuiltIn | |
| Storage | bc1b984e-ddae-40cc-801a-050a030e4fbe | Storage accounts should have shared access signature (SAS) policies configured | Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2022-01-07 18:14:35 | BuiltIn | |
| Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2022-01-07 18:14:35 | BuiltIn | |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | Fixed AuditIfNotExists |
change |
Minor (1.0.0 > 1.1.0) | 2022-01-07 18:14:35 | BuiltIn | |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2022-01-07 18:14:35 | BuiltIn | |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2022-01-07 18:14:35 | BuiltIn | |
| Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2022-01-07 18:14:35 | BuiltIn |
| Monitoring | 594c1276-f44f-482d-9910-71fac2ce5ae0 | [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-01-07 18:14:35 | BuiltIn |
| Monitoring | bacd7fca-1938-443d-aad6-a786107b1bfb | [Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2022-01-07 18:14:35 | BuiltIn |
| Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-10 17:29:56 | BuiltIn |
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-10 17:29:56 | BuiltIn |
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-10 17:29:56 | BuiltIn |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-10 17:29:56 | BuiltIn |
| Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-10 17:29:56 | BuiltIn |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2021-12-06 22:17:57 | BuiltIn | |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Monitoring | a499fed8-bcc8-4195-b154-641f14743757 | Azure Monitor Private Link Scope should block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| SQL | 0d134df8-db83-46fb-ad72-fe0c9428c8dd | [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Kubernetes Extension Contributor |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.1 > 5.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| SQL | ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 | SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, old suffix: preview (1.0.0-preview > 2.0.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | [Deprecated]: Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (2.0.1 > 2.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2021-12-06 22:17:57 | BuiltIn |
| Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (2.1.1 > 2.1.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.3 > 7.0.4) | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, old suffix: preview (1.0.0-preview > 2.0.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | d3d1e68e-49d4-4b56-acff-93cef644b432 | [Deprecated]: Configure Azure Defender for container registries to be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.1 > 6.1.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed deployIfNotExists |
count: 002 •Monitoring Contributor •Storage Account Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Monitoring | bec5db8e-c4e3-40f9-a545-e0bd00065c82 | Configure Azure Monitor Private Link Scope to block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-12-06 22:17:57 | BuiltIn |
| Security Center | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (4.0.1-deprecated > 4.0.2-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | [Deprecated]: Configure Azure Defender for DNS to be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | c9ddb292-b203-4738-aead-18e2716e858f | Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn |
| App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.1 > 6.1.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (4.0.0 > 5.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.2.0 > 1.3.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.2 > 4.0.3) | 2021-12-06 22:17:57 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (4.0.0 > 5.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Major (2.0.0 > 3.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | [Deprecated]: Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.1 > 3.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| 165a4137-c3ed-4fd0-a17f-1c8a80266580 | Fixed |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn | ||||
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.0.0 > 6.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| SQL | 048248b0-55cd-46da-b1ff-39efd52db260 | [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated) | 2021-12-06 22:17:57 | BuiltIn | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (4.0.0 > 5.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.1.1 > 1.2.0) | 2021-12-06 22:17:57 | BuiltIn |
| Security Center | 133047bf-1369-41e3-a3be-74a11ed1395a | [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-06 22:17:57 | BuiltIn | |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-12-06 22:17:57 | BuiltIn | |
| Security Center | b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d | Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Patch (1.0.0 > 1.0.1) | 2021-12-06 22:17:57 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (4.0.0 > 5.0.0) | 2021-12-06 22:17:57 | BuiltIn |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | 2021-12-06 22:17:57 | BuiltIn |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-11-12 16:23:07 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-11-12 16:23:07 | BuiltIn |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 5.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d00 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 95406fc3-1f69-47b0-8105-4c03b276ec5c | [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Default Audit Allowed Audit, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.2 > 7.0.3) | 2021-11-12 16:23:07 | BuiltIn | |
| Stream Analytics | fe8684d6-3c5b-45c0-a08b-fa92653c2e1c | Stream Analytics job should connect to trusted inputs and outputs | Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. | Default Audit Allowed Deny, Disabled, Audit |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 1cb4d9c2-f88f-4069-bee0-dba239a57b09 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 221aac80-54d8-484b-83d7-24f4feac2ce0 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | d62cfe2b-3ab0-4d41-980d-76803b58ca65 | [Deprecated]: Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 8893442c-e7cb-4637-bab8-299a5d4ed96a | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default Audit Allowed Audit, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | e494853f-93c3-4e44-9210-d12f61a64b34 | [Preview]: Configure supported virtual machines to automatically enable vTPM | Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | a7f5e735-d212-4c32-9229-d12bffbc7e00 | [Preview]: ChangeTracking extension should be installed on your Windows Arc machine | Install ChangeTracking Extension on Windows Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | 2021-11-12 16:23:07 | BuiltIn | |
| Media Services | 9285c3de-d5fd-4225-86d4-027894b0c442 | Azure Media Services should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 6.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | e71c1e29-9c76-4532-8c4b-cb0573b0014c | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 7cb1b219-61c6-47e0-b80c-4472cadeeb5f | [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot | Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | 496e010e-fa91-4c00-be4b-92b481f67b58 | [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-11-12 16:23:07 | BuiltIn |
| Security Center | fc47609f-4d9b-4aed-806b-446816cc63a3 | [Preview]: ChangeTracking extension should be installed on your Linux Arc machine | Install ChangeTracking Extension on Linux Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-11-12 16:23:07 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.1 > 7.0.2) | 2021-10-25 16:02:14 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview) | 2021-10-25 16:02:14 | BuiltIn | |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn | |
| Security Center | 496e010e-fa91-4c00-be4b-92b481f67b58 | [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-10-22 15:42:38 | BuiltIn |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Reader •Virtual Machine Contributor |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn | |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.2 > 2.0.3) | 2021-10-22 15:42:38 | BuiltIn | |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.1 > 2.0.0) | 2021-10-22 15:42:38 | BuiltIn |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-10-22 15:42:38 | BuiltIn |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-22 15:42:38 | BuiltIn | |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-10-22 15:42:38 | BuiltIn |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-10-22 15:42:38 | BuiltIn |
| Compute | 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 | [Deprecated]: Unattached disks should be encrypted | This policy audits any unattached disk without encryption enabled. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-10-19 19:10:32 | BuiltIn | |
| Search | 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 | Configure Azure Cognitive Search services to disable local authentication | Disable local authentication methods so that your Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. | Default Modify Allowed Modify, Disabled |
count: 001 •Search Service Contributor |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0) | 2021-10-19 19:10:32 | BuiltIn | |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-10-19 19:10:32 | BuiltIn |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-10-19 19:10:32 | BuiltIn |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.0.1-preview > 1.0.1) | 2021-10-19 19:10:32 | BuiltIn | |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-10-19 19:10:32 | BuiltIn |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn | |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn | |
| Search | 6300012e-e9a4-4649-b41f-a85f5c43be91 | Azure Cognitive Search services should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-19 19:10:32 | BuiltIn | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-10-19 19:10:32 | BuiltIn |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2021-10-19 19:10:32 | BuiltIn |
| Azure Arc | 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 | Azure Arc Private Link Scopes should be configured with a private endpoint | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Azure Arc | de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 | Configure Azure Arc Private Link Scopes to disable public network access | Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Machine Learning | 7804b5c7-01dc-4723-969b-ae300cc07ff1 | Azure Machine Learning Computes should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-10-08 15:47:40 | BuiltIn |
| Azure Arc | 898f2439-3333-4713-af25-f1d78bc50556 | Azure Arc Private Link Scopes should disable public network access | Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Security Center | 44433aa3-7ec2-4002-93ea-65c65ff0310a | Configure Azure Defender for open-source relational databases to be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-10-08 15:47:40 | BuiltIn |
| Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| HDInsight | 2676090a-4baf-46ac-9085-4ac02cc50e3e | Configure Azure HDInsight clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| HDInsight | c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 | Azure HDInsight should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Azure Arc | efa3f296-ff2b-4f38-bc0d-5ef12c965b68 | Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn | |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Major (1.2.0 > 2.0.0) | 2021-10-08 15:47:40 | BuiltIn |
| Azure Arc | a3461c8c-6c9d-4e42-a644-40ba8a1abf49 | Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (1.1.0 > 1.1.1) | 2021-10-08 15:47:40 | BuiltIn |
| HDInsight | 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 | Configure Azure HDInsight clusters to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Azure Connected Machine Resource Administrator •Kubernetes Cluster - Azure Arc Onboarding •Network Contributor |
add |
new Policy | 2021-10-08 15:47:40 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Version remains equal, old suffix: preview (2.0.1-preview > 2.0.1) | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Service Bus | 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e | Configure Azure Service Bus namespaces to disable local authentication | Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Service Bus Data Owner |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn |
| Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2021-10-04 15:27:15 | BuiltIn | |
| Service Bus | cfb11c26-f069-4c14-8e36-56c394dae5af | Azure Service Bus namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) | 2021-10-04 15:27:15 | BuiltIn | |
| Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Modify Allowed Modify, Disabled |
count: 001 •Azure Event Hubs Data Owner |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn | |
| Security Center | af99038c-02fd-4a2f-ac24-386b62bf32de | [Preview]: Machines should have ports closed that might expose attack vectors | Azure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.0.0 > 3.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-10-04 15:27:15 | BuiltIn |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Version remains equal, old suffix: preview (2.1.1-preview > 2.1.1) | 2021-10-04 15:27:15 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) | 2021-10-04 15:27:15 | BuiltIn | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-10-04 15:27:15 | BuiltIn | |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | [Deprecated]: SSH access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2021-09-27 15:52:17 | BuiltIn | |
| Key Vault | 84d327c3-164a-4685-b453-900478614456 | [Preview]: Configure Azure Key Vault Managed HSM to disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default Modify Allowed Modify, Disabled |
count: 001 •Managed HSM contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-09-27 15:52:17 | BuiltIn |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images | This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn | |
| Network | 98a2e215-5382-489e-bd29-32e7190a39ba | Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace | Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (7.0.0 > 7.0.1) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | [Deprecated]: RDP access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Major (1.0.1 > 2.0.0) | 2021-09-27 15:52:17 | BuiltIn |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn |
| Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn | |
| Storage | 92a89a79-6c52-4a7e-a03f-61306fc49312 | Storage accounts should prevent cross tenant object replication | Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn | |
| Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2021-09-27 15:52:17 | BuiltIn | |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-09-27 15:52:17 | BuiltIn | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major, suffix remains equal (1.1.0-preview > 3.0.0-preview) | 2021-09-27 15:52:17 | BuiltIn |
| Security Center | bdc59948-5574-49b3-bb91-76b7c986428d | [Deprecated]: Azure Defender for DNS should be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-09-27 15:52:17 | BuiltIn | |
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs | This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated) | 2021-09-27 15:52:17 | BuiltIn |
| Synapse | ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee | Configure Synapse workspaces to have auditing enabled | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Major (1.1.0 > 2.0.0) | 2021-09-27 15:52:17 | BuiltIn |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2021-09-21 16:12:09 | BuiltIn | |
| Automation | 30d1d58e-8f96-47a5-8564-499a3f3cca81 | Configure Azure Automation account to disable local authentication | Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn |
| Event Grid | 8632b003-3545-4b29-85e6-b2b96773df1e | Azure Event Grid partner namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Event Grid | ae9fb87f-8a17-4428-94a4-8135d431055c | Azure Event Grid topics should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Automation | 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 | Azure Automation account should have local authentication method disabled | Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Event Grid | 2dd0e8b9-4289-4bb0-b813-1883298e9924 | Configure Azure Event Grid partner namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled |
count: 001 •EventGrid Contributor |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn |
| Event Grid | 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 | Configure Azure Event Grid domains to disable local authentication | Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled |
count: 001 •EventGrid Contributor |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn |
| Event Grid | 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd | Azure Event Grid domains should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Event Grid | 1c8144d9-746a-4501-b08c-093c8d29ad04 | Configure Azure Event Grid topics to disable local authentication | Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled |
count: 001 •EventGrid Contributor |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.1 > 4.0.2) | 2021-09-21 16:12:09 | BuiltIn | |
| Kubernetes | 245fc9df-fa96-4414-9a0b-3738c2f7341c | Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-21 16:12:09 | BuiltIn | |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.1 > 2.0.2) | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 0367cfc4-90b3-46ba-a8a6-ddd5d3514878 | [Preview]: Azure Security agent should be installed on your Windows Arc machines | Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | d01f3018-de9f-4d75-8dae-d12c1875da9f | [Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent | Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | e8794316-d918-4565-b57d-6b38a06381a0 | [Preview]: Azure Security agent should be installed on your Linux virtual machines | Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | 1f300abb-f5a0-41c3-a163-91bd3ed35de7 | [Preview]: Azure Security agent should be installed on your Linux Arc machines | Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Security Center | 62b52eae-c795-44e3-94e8-1b3d264766fb | [Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets | Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn | |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 6654c8c4-e6f8-43f8-8869-54327af7ce32 | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent | Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 2f47ec78-4301-4655-b78e-b29377030cdc | [Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent | Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | 2021-09-13 16:35:32 | BuiltIn |
| Key Vault | 84d327c3-164a-4685-b453-900478614456 | [Preview]: Configure Azure Key Vault Managed HSM to disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default Modify Allowed Modify, Disabled |
count: 001 •Managed HSM contributor |
add |
new Policy | 2021-09-13 16:35:32 | BuiltIn |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2021-09-13 16:35:32 | BuiltIn |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) | 2021-09-08 15:39:57 | BuiltIn | |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Internet of Things | 9f8ba900-a70f-486e-9ffc-faf907305376 | Configure Azure IoT Hub to disable local authentication | Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| Bot Service | ad5621d6-a877-4407-aa93-a950b428315e | BotService resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Healthcare APIs | fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | CORS should not allow every domain to access your FHIR Service | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. | Default Audit Allowed audit, Audit, disabled, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) | 2021-09-08 15:39:57 | BuiltIn | |
| Internet of Things | 672d56b3-23a7-4a3c-a233-b77ed7777518 | Azure IoT Hub should have local authentication methods disabled for Service Apis | Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn | |
| SignalR | 702133e5-5ec5-4f90-9638-c78e22f13b39 | Configure Azure SignalR Service to disable local authentication | Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Bot Service | 6a4e6f44-f2af-4082-9702-033c9e88b9f8 | Configure BotService resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (4.0.0 > 4.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Bot Service | 29261f8e-efdb-4255-95b8-8215414515d6 | Configure BotService resources with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2021-09-08 15:39:57 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
change |
Patch (1.0.0 > 1.0.1) | 2021-09-08 15:39:57 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (3.0.0 > 3.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.0 > 5.0.1) | 2021-09-08 15:39:57 | BuiltIn | |
| Key Vault | 82067dbb-e53b-4e06-b631-546d197452d9 | Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 342e8053-e12e-4c44-be01-c3c2f318400f | Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | b0eb591a-5e70-4534-a8bf-04b9c489584a | Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Security Center | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.1-preview > 1.0.2) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 49a22571-d204-4c91-a7b6-09b1a586fbc9 | Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-30 14:27:30 | BuiltIn |
| API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management should disable public network access to the service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 587c79fe-dd04-4a5e-9d0b-f89598c7261b | Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-08-30 14:27:30 | BuiltIn |
| Key Vault | e8d99835-8a06-45ae-a8e0-87a91941ccfe | Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.0.0 > 7.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 5ff38825-c5d8-47c5-b70e-069a21955146 | Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Monitoring | 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | ff25f3c8-b739-4538-9d07-3d6d25cfb255 | Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (2.0.1-preview > 3.0.1-preview) | 2021-08-30 14:27:30 | BuiltIn | |
| Security Center | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 75c4f823-d65c-4f29-a733-01d0077fdbcb | Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, old suffix: preview (1.0.1-preview > 1.0.2) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, old suffix: preview (2.0.0-preview > 2.0.1) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.0 > 5.0.0) | 2021-08-30 14:27:30 | BuiltIn | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Major (1.0.0 > 2.0.0) | 2021-08-30 14:27:30 | BuiltIn |
| API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable access to API Management public service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •API Management Service Contributor |
add |
new Policy | 2021-08-30 14:27:30 | BuiltIn |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-08-23 14:26:16 | BuiltIn | |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn |
| Key Vault | d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 | [Preview]: Configure Azure Key Vault Managed HSM with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Managed HSM contributor •Network Contributor |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn |
| Security Center | 95406fc3-1f69-47b0-8105-4c03b276ec5c | [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn | |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn | |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn | |
| Key Vault | 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 | [Preview]: Azure Key Vault Managed HSM should use private link | Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn | |
| SQL | c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd | Configure Azure Defender to be enabled on SQL managed instances | Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
change |
Major (1.0.0 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn |
| Key Vault | 19ea9d63-adee-4431-a95e-1913c6c1c75f | [Preview]: Azure Key Vault Managed HSM should disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn | |
| Storage | bfecdea6-31c4-4045-ad42-71b9dc87247d | Storage account encryption scopes should use double encryption for data at rest | Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn | |
| Azure Ai Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn | |
| Bot Service | ffea632e-4e3a-4424-bf78-10e179bb2e1a | Bot Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn | |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Network Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn |
| Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Modify Allowed Disabled, Modify |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
add |
new Policy | 2021-08-23 14:26:16 | BuiltIn |
| Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Audit Allowed Audit, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-08-23 14:26:16 | BuiltIn | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | 2021-08-23 14:26:16 | BuiltIn |
| 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | n/a | n/a | remove |
0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | 2021-08-16 16:08:10 (i) | BuiltIn | |||
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-08-13 17:07:49 | BuiltIn | |
| SQL | abda6d70-9778-44e7-84a8-06713e6db027 | Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-13 17:07:49 | BuiltIn | |
| SQL | 78215662-041e-49ed-a9dd-5385911b3a1f | Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-13 17:07:49 | BuiltIn | |
| SQL | ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 | SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-13 17:07:49 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.1.0 > 7.0.0) | 2021-08-13 17:07:49 | BuiltIn | |
| Media Services | 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 | Azure Media Services accounts should disable public network access | Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-13 17:07:49 | BuiltIn | |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-13 17:07:49 | BuiltIn | |
| Batch | 4dbc2f5c-51cf-4e38-9179-c7028eed2274 | Configure Batch accounts to disable local authentication | Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn |
| Batch | 1760f9d4-7206-436e-a28f-d9f3a5c8a227 | Azure Batch pools should have disk encryption enabled | Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn | |
| SignalR | f70eecba-335d-4bbc-81d5-5b17b03d498f | Azure SignalR Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn | |
| Batch | 6f68b69f-05fe-49cd-b361-777ee9ca7e35 | Batch accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Extension for SQL Server Deployment |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn |
| Kubernetes | 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn | |
| Container Registry | 524b0254-c285-4903-bee6-bb8126cde579 | Container registries should have exports disabled | Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-08-09 19:32:42 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.1.0-preview > 3.1.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-08-02 15:58:22 | BuiltIn | |
| Security Center | b99b73e7-074b-4089-9395-b7236f094491 | Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.2.1 > 2.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Search | 76a56461-9dc0-40f0-82f5-2453283afa2f | Azure Cognitive Search services should use customer-managed keys to encrypt data at rest | Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn | |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Configure Azure Defender to be enabled on SQL servers | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Fixed DeployIfNotExists |
count: 001 •SQL Security Manager |
change |
Minor (2.0.0 > 2.1.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 74c30959-af11-47b3-9ed2-a26e03f427a3 | Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | [Deprecated]: Configure Azure Defender for DNS to be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Major (1.2.0 > 2.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d | Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Azure Edge Hardware Center | 08a6b96f-576e-47a2-8511-119a212d344d | Azure Edge Hardware Center devices should have double encryption support enabled | Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn | |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.2.0 > 2.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.2.0 > 2.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | Azure Defender for open-source relational databases should be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn | |
| Security Center | 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 | Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Storage | 044985bb-afe1-42cd-8a36-9d5d42424537 | Storage account keys should not be expired | Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-07-30 15:17:20 | BuiltIn | |
| Backup | af783da1-4ad1-42be-800d-d19c70038820 | [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2021-07-30 15:17:20 | BuiltIn |
| Backup | deeddb44-9f94-4903-9fa0-081d524406e3 | [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Default Audit Allowed Audit, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-07-30 15:17:20 | BuiltIn | |
| Security Center | 50ea7265-7d8c-429e-9a7d-ca1f410191c3 | Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | 133047bf-1369-41e3-a3be-74a11ed1395a | [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Network | 21a6bc25-125e-4d13-b82d-2e19b7208ab7 | VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users | Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn | |
| SQL | c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd | Configure Azure Defender to be enabled on SQL managed instances | Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Security Manager |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.2.0 > 2.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | d3d1e68e-49d4-4b56-acff-93cef644b432 | [Deprecated]: Configure Azure Defender for container registries to be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-07-30 15:17:20 | BuiltIn |
| Monitoring | d3ba9c42-9dd5-441a-957c-274031c750c0 | Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default Modify Allowed Modify, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-07-30 15:17:20 | BuiltIn |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-07-30 15:17:20 | BuiltIn |
| SQL | 17k78e20-9358-41c9-923c-fb736d382a12 | Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-07-16 14:58:38 | BuiltIn | |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL DB Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-07-16 14:58:38 | BuiltIn |
| Monitoring | dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 | Configure Azure Application Insights components to disable public network access for log ingestion and querying | Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default Modify Allowed Modify, Disabled |
count: 001 •Application Insights Component Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-07-15 16:24:53 | BuiltIn |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-07-15 16:24:53 | BuiltIn | |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default Deny Allowed Audit, Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-07-15 16:24:53 | BuiltIn | |
| Cache | 5d8094d7-7340-465a-b6fd-e60ab7e48920 | Configure Azure Cache for Redis with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Redis Cache Contributor |
add |
new Policy | 2021-07-15 16:24:53 | BuiltIn |
| Monitoring | 437914ee-c176-4fff-8986-7e05eb971365 | Configure Azure Monitor Private Link Scope to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Monitoring | dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 | Configure Azure Application Insights components to disable public network access for log ingestion and querying | Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default Modify Allowed Modify, Disabled |
count: 001 •Application Insights Component Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Cosmos DB | dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 | Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Modify Allowed Modify, Disabled |
count: 001 •DocumentDB Account Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Media Services | b4a7f6c1-585e-4177-ad5b-c2c93f4bb991 | Configure Azure Media Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| App Service | 687aa49d-0982-40f8-bf6b-66d1da97a04b | App Service apps should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Cosmos DB | 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 | Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Media Services | c5632066-946d-4766-9544-cd79bcc1286e | Configure Azure Media Services with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Media Services Account Administrator •Network Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Event Hub | 836cd60e-87f3-4e6a-a27c-29d687f01a4c | Event Hub namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Monitoring | e8185402-357b-4768-8058-f620bc0ae6b5 | Configure Azure Monitor Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Media Services | 4a591bf5-918e-4a5f-8dad-841863140d61 | Azure Media Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Monitoring | d3ba9c42-9dd5-441a-957c-274031c750c0 | Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default Modify Allowed Modify, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn |
| Service Bus | ebaf4f25-a4e8-415f-86a8-42d9155bef0b | Service Bus namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Monitoring | 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-07-07 15:26:31 | BuiltIn | |
| Storage | 044985bb-afe1-42cd-8a36-9d5d42424537 | Storage account keys should not be expired | Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-07-07 15:26:31 | BuiltIn | |
| Security Center | c3d20c29-b36d-48fe-808b-99a87530ad99 | Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-07-07 15:26:31 | BuiltIn | |
| Network | 235359c5-7c52-4b82-9055-01c75cf9f60e | [Deprecated]: Service Bus should use a virtual network service endpoint | This policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-06-22 14:29:30 | BuiltIn | |
| Monitoring | 199d5677-e4d9-4264-9465-efe1839c06bd | Application Insights components should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-06-22 14:29:30 | BuiltIn |
| Monitoring | 0c4bd2e8-8872-4f37-a654-03f6f38ddc76 | Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. | To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn |
| Storage | 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 | Storage accounts should prevent shared key access | Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 1.0.0) | 2021-06-22 14:29:30 | BuiltIn | |
| App Service | 817dcf37-e83d-4999-a472-644eada2ea1e | App Service Environment should be configured with strongest TLS Cipher suites | The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| Monitoring | e15effd4-2278-4c65-a0da-4d6f6d1890e2 | Log Analytics Workspaces should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Default Audit Allowed Deny, Audit, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| App Service | 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 | [Deprecated]: App Services should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| Key Vault | 951af2fa-529b-416e-ab6e-066fd85ac459 | Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-06-22 14:29:30 | BuiltIn |
| App Service | eb4d34ab-0929-491c-bbf3-61e13da19f9a | App Service Environment should be provisioned with latest versions | Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| App Service | b318f84a-b872-429b-ac6d-a01b96814452 | Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn |
| Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn |
| App Service | d79ab062-dffd-4318-8344-f70de714c0bc | [Deprecated]: App Service should disable public network access | Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-06-22 14:29:30 | BuiltIn | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-06-22 14:29:30 | BuiltIn |
| App Service | 81dff7c0-4020-4b58-955d-c076a2136b56 | [Deprecated]: Configure App Services to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn |
| App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-22 14:29:30 | BuiltIn | |
| Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Service Bus | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Stream Analytics | f9be5368-9bf5-4b84-9e0a-7850da98bb46 | Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Search | b4330a05-a843-4bc8-bf9a-cacce50c67f4 | Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Key Vault | cf820ca0-f99e-4f3e-84fb-66e913812d21 | Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (4.0.1 > 5.0.0) | 2021-06-17 14:24:41 | BuiltIn | |
| Container Registry | 79fdfe03-ffcb-4e55-b4d0-b925b8241759 | Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-15 14:05:41 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) | 2021-06-15 14:05:41 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) | 2021-06-15 14:05:41 | BuiltIn |
| Container Registry | dc921057-6b28-4fbe-9b83-f7bec05db6c2 | Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-15 14:05:41 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) | 2021-06-15 14:05:41 | BuiltIn |
| SQL | abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-06-08 15:17:13 | BuiltIn | |
| Security Center | 95406fc3-1f69-47b0-8105-4c03b276ec5c | [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-06-08 15:17:13 | BuiltIn |
| SQL | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-06-08 15:17:13 | BuiltIn | |
| Security Center | e494853f-93c3-4e44-9210-d12f61a64b34 | [Preview]: Configure supported virtual machines to automatically enable vTPM | Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-06-08 15:17:13 | BuiltIn |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) | 2021-06-08 15:17:13 | BuiltIn | |
| Security Center | 7cb1b219-61c6-47e0-b80c-4472cadeeb5f | [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot | Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-06-08 15:17:13 | BuiltIn |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.2 > 2.0.0) | 2021-06-08 15:17:13 | BuiltIn | |
| SQL | 6134c3db-786f-471e-87bc-8f479dc890f6 | Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Fixed DeployIfNotExists |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2021-06-08 15:17:13 | BuiltIn |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2021-06-08 15:17:13 | BuiltIn | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.1.1 > 2.0.0) | 2021-06-08 15:17:13 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (6.1.0 > 6.1.1) | 2021-06-08 15:17:13 | BuiltIn | |
| Network | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-06-02 22:44:52 | BuiltIn | |
| Cognitive Services | 14de9e63-1b31-492e-a5a3-c3f7fd57f555 | Configure Cognitive Services accounts to disable local authentication methods | Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-02 22:44:52 | BuiltIn |
| App Configuration | b08ab3ca-1062-4db3-8803-eec9cae605d6 | App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-02 22:44:52 | BuiltIn | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-06-02 22:44:52 | BuiltIn |
| App Configuration | 72bc14af-4ab8-43af-b4e4-38e7983f9a1f | Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-02 22:44:52 | BuiltIn |
| Security Center | 2ada9901-073c-444a-9a9a-91865174f0aa | [Preview]: Configure Azure Defender for SQL agent on virtual machine | Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-06-02 22:44:52 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-06-02 22:44:52 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-06-02 22:44:52 | BuiltIn | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-06-02 22:44:52 | BuiltIn |
| Azure Ai Services | 71ef260a-8f18-47b7-abcb-62d0673d94dc | Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-06-02 22:44:52 | BuiltIn | |
| Security Center | 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554 | Log Analytics agent should be installed on your Cloud Services (extended support) role instances | Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-06-02 22:44:52 | BuiltIn | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2021-05-26 13:43:16 | BuiltIn | |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Site Recovery | e95a8a5c-0987-421f-84ab-df4d88ebf7d1 | [Preview]: Configure private endpoints on Azure Recovery Services vaults | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •Site Recovery Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Web PubSub | 0b026355-49cb-467b-8ac4-f777874e175a | Configure Azure Web PubSub Service to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Security Center | b1bb3592-47b8-4150-8db0-bfdcc2c8965b | [Preview]: Linux virtual machines should use Secure Boot | To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-05-26 13:43:16 | BuiltIn | |
| Web PubSub | 52630df9-ca7e-442b-853b-c6ce548b31a2 | [Deprecated]: Azure Web PubSub Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Backup | af783da1-4ad1-42be-800d-d19c70038820 | [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Web PubSub | 82909236-25f3-46a6-841c-fe1020f95ae1 | Azure Web PubSub Service should use a SKU that supports private link | With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Site Recovery | 11e3da8c-1d68-4392-badd-0ff3c43ab5b0 | [Preview]: Recovery Services vaults should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2021-05-26 13:43:16 | BuiltIn | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Log Analytics Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-05-26 13:43:16 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-05-26 13:43:16 | BuiltIn |
| App Service | d79ab062-dffd-4318-8344-f70de714c0bc | [Deprecated]: App Service should disable public network access | Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-05-26 13:43:16 | BuiltIn | |
| Web PubSub | 1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544 | Configure Azure Web PubSub Service with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SignalR/Web PubSub Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Web PubSub | bf45113f-264e-4a87-88f9-29ac8a0aca6a | Azure Web PubSub Service should disable public network access | Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Site Recovery | 942bd215-1a66-44be-af65-6a1c0318dbe2 | [Preview]: Configure Azure Recovery Services vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Monitoring | 94c1f94d-33b0-4062-bd04-1cdc3e7eece2 | Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys | Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Web PubSub | 5b1213e4-06e4-4ccc-81de-4201f2f7131a | Configure Azure Web PubSub Service to disable public network access | Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn |
| Security Center | f6358610-e532-4236-b178-4c65865eb262 | [Preview]: Virtual machines guest attestation status should be healthy | Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-26 13:43:16 | BuiltIn | |
| Media Services | daccf7e4-9808-470c-a848-1c5b582a1afb | Azure Media Services content key policies should use token authentication | Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Azure Active Directory | 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 | Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-05-18 14:34:48 | BuiltIn | |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn |
| Media Services | a77d8bb4-8d22-4bc1-a884-f582a705b480 | Azure Media Services accounts should use an API that supports Private Link | Media Services accounts should be created with an API that supports private link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Network | 2f080164-9f4d-497e-9db6-416dc9f7b48a | Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Media Services | ccf93279-9c91-4143-a841-8d1f21505455 | Azure Media Services accounts that allow access to the legacy v2 API should be blocked | The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Synapse | 38d8df46-cf4e-4073-8e03-48c24b29de0d | Azure Synapse workspaces should disable public network access | Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Guest Configuration | f79fef0d-0050-4c18-a303-5babb9c14ac7 | Windows machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn | |
| Media Services | e9914afe-31cd-4b8a-92fa-c887f847d477 | Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns | Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. | Default Deny Allowed Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-05-18 14:34:48 | BuiltIn | |
| Monitoring | f47b5582-33ec-4c5c-87c0-b010a6b2e917 | Virtual machines should be connected to a specified workspace | Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2021-05-18 14:34:48 | BuiltIn | |
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn |
| Synapse | 5c8cad01-ef30-4891-b230-652dadb4876a | Configure Azure Synapse workspaces to disable public network access | Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-18 14:34:48 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-05-11 14:06:18 | BuiltIn |
| SQL | 80ed5239-4122-41ed-b54a-6f1fa7552816 | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn |
| Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn |
| Monitoring | 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 | Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-05-11 14:06:18 | BuiltIn | |
| SQL | 9a7c7a7d-49e5-4213-bea8-6a502b6272e0 | Deploy Diagnostic Settings for Azure SQL Database to Event Hub | Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. | Fixed DeployIfNotExists |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2021-05-11 14:06:18 | BuiltIn |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-05-11 14:06:18 | BuiltIn |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2021-05-11 14:06:18 | BuiltIn | |
| Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn | |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2021-05-11 14:06:18 | BuiltIn | |
| Compute | bc05b96c-0b36-4ca9-82f0-5c53f96ce05a | Configure disk access resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn |
| SQL | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-05-11 14:06:18 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (6.0.0 > 7.0.0) | 2021-05-11 14:06:18 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.1.0 > 3.0.0) | 2021-05-11 14:06:18 | BuiltIn | |
| Storage | 044985bb-afe1-42cd-8a36-9d5d42424537 | Storage account keys should not be expired | Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn | |
| SQL | db048e65-913c-49f9-bb5f-1084184671d3 | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn |
| Monitoring | 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 | Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn | |
| Monitoring | 6c53d030-cc64-46f0-906d-2bc061cd1334 | Log Analytics workspaces should block log ingestion and querying from public networks | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-05-11 14:06:18 | BuiltIn | |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.2.0-preview > 2.0.0-preview) | 2021-05-04 14:34:06 | BuiltIn |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 5a913c68-0590-402c-a531-e57e19379da3 | [Deprecated]: Operating system version should be the most current version for your cloud service roles | Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-05-04 14:34:06 | BuiltIn |
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-05-04 14:34:06 | BuiltIn |
| App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-05-04 14:34:06 | BuiltIn | |
| Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 1cb4d9c2-f88f-4069-bee0-dba239a57b09 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Media Services | e9914afe-31cd-4b8a-92fa-c887f847d477 | Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns | Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn |
| Storage | b5ec538c-daa0-4006-8596-35468b9148e8 | Storage account encryption scopes should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-05-04 14:34:06 | BuiltIn | |
| Security Center | a0c11ca4-5828-4384-a2f2-fd7444dd5b4d | Cloud Services (extended support) role instances should be configured securely | Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-04-27 15:38:15 | BuiltIn |
| Security Center | 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554 | Log Analytics agent should be installed on your Cloud Services (extended support) role instances | Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-04-27 15:38:15 | BuiltIn |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, old suffix: preview (1.1.0-preview > 1.2.0) | 2021-04-27 15:38:15 | BuiltIn |
| Security Center | 1e378679-f122-4a96-a739-a7729c46e1aa | Cloud Services (extended support) role instances should have an endpoint protection solution installed | Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, old suffix: preview (1.1.0-preview > 1.2.0) | 2021-04-27 15:38:15 | BuiltIn |
| App Service | fb74e86f-d351-4b8d-b034-93da7391c01f | App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| SQL | 7ea8a143-05e3-4553-abfe-f56bef8b0b70 | Configure Azure SQL database servers diagnostic settings to Log Analytics workspace | Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •SQL Security Manager |
change |
Patch (1.0.1 > 1.0.2) | 2021-04-27 15:38:15 | BuiltIn |
| App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (4.0.0 > 4.1.0) | 2021-04-27 15:38:15 | BuiltIn |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, old suffix: preview (1.1.0-preview > 1.2.0) | 2021-04-27 15:38:15 | BuiltIn |
| App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| SQL | 6134c3db-786f-471e-87bc-8f479dc890f6 | Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Fixed DeployIfNotExists |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-04-27 15:38:15 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-04-27 15:38:15 | BuiltIn |
| SQL | b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-04-27 15:38:15 | BuiltIn | |
| Security Center | 4df26ba8-026d-45b0-9521-bffa44d741d2 | Cloud Services (extended support) role instances should have system updates installed | Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn | |
| Monitoring | 2465583e-4e78-4c15-b6be-a36cbc7c8b0f | Configure Azure Activity logs to stream to specified Log Analytics workspace | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-04-27 15:38:15 | BuiltIn |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (1.2.0 > 1.2.1) | 2021-04-27 15:38:15 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-04-27 15:38:15 | BuiltIn |
| Key Vault | 9d4fad1f-5189-4a42-b29e-cf7929c6b6df | Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Key Vault Contributor •Network Contributor |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview) | 2021-04-21 13:28:46 | BuiltIn | |
| Azure Active Directory | 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 | Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn | |
| Backup | 2e94d99a-8a36-4563-bc77-810d8893b671 | [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn | |
| Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | [Deprecated]: Cognitive Services accounts should enable data encryption | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated) | 2021-04-21 13:28:46 | BuiltIn | |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Network Contributor |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn |
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01dc | Configure key vaults to enable firewall | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Modify Allowed Modify, Disabled |
count: 001 •Key Vault Contributor |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn |
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn |
| Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated) | 2021-04-21 13:28:46 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2021-04-21 13:28:46 | BuiltIn | |
| Cognitive Services | c4bc6f10-cb41-49eb-b000-d5ab82e2a091 | Configure Cognitive Services accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-04-21 13:28:46 | BuiltIn | |
| Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn | |
| Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-04-21 13:28:46 | BuiltIn | |
| Data Factory | 8b0323be-cc25-4b61-935d-002c3798c6ea | Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-13 13:28:43 | BuiltIn | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major (3.0.0 > 4.0.0) | 2021-04-13 13:28:43 | BuiltIn |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-04-07 13:27:17 | BuiltIn | |
| Compute | 8426280e-b5be-43d9-979e-653d12a08638 | Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-04-07 13:27:17 | BuiltIn | |
| Compute | 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 | Configure disk access resources with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-04-07 13:27:17 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-04-07 13:27:17 | BuiltIn |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-04-07 13:27:17 | BuiltIn |
| Compute | 8405fdab-1faf-48aa-b702-999c9c172094 | Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn | |
| Data Factory | 08b1442b-7789-4130-8506-4f99a97226a7 | Configure Data Factories to disable public network access | Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default Modify Allowed Modify, Disabled |
count: 001 •Data Factory Contributor |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn |
| Data Factory | 496ca26b-f669-4322-a1ad-06b7b5e41882 | Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Data Factory Contributor •Network Contributor |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Major (1.1.0 > 2.0.0) | 2021-04-07 13:27:17 | BuiltIn |
| Data Factory | 86cd96e1-1745-420d-94d4-d3f2fe415aa4 | Configure private DNS zones for private endpoints that connect to Azure Data Factory | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn |
| Compute | f39f5f49-4abf-44de-8c70-0756997bfb51 | Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-04-07 13:27:17 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2021-04-07 13:27:17 | BuiltIn | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| Guest Configuration | 480d0f91-30af-4a76-9afb-f5710ac52b09 | Private endpoints for Guest Configuration assignments should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn | |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2021-03-31 14:35:06 | BuiltIn |
| Search | 0fda3595-9f2b-4592-8675-4231d6fa82fe | Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| Synapse | ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee | Configure Synapse workspaces to have auditing enabled | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-31 14:35:06 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
change |
Major, suffix remains equal (1.0.1-preview > 2.0.0-preview) | 2021-03-31 14:35:06 | BuiltIn | |
| SignalR | ef45854f-b33f-49a3-8041-9057e915d88f | Configure private endpoints to Azure SignalR Service | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SignalR/Web PubSub Contributor |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn |
| Monitoring | 752154a7-1e0f-45c6-a880-ac75a7e4f648 | Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn |
| Search | b698b005-b660-4837-b833-a7aaab26ddba | Configure Azure Cognitive Search services with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •Search Service Contributor |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn |
| Network | 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d | Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Default Modify Allowed Modify, Audit, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-31 14:35:06 | BuiltIn |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.1 > 1.1.0) | 2021-03-31 14:35:06 | BuiltIn | |
| Synapse | 529ea018-6afc-4ed4-95bd-7c9ee47b00bc | Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-24 14:32:48 | BuiltIn | |
| Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-24 14:32:48 | BuiltIn | |
| Storage | 6f8f98a4-f108-47cb-8e98-91a0d85cd474 | [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace | Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.1.0 > 1.3.0) | 2021-03-24 14:32:48 | BuiltIn |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.1.0 > 1.2.0) | 2021-03-24 14:32:48 | BuiltIn |
| Storage | 970f84d8-71b6-4091-9979-ace7e3fb6dbb | HPC Cache accounts should use customer-managed key for encryption | Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Disabled, Deny |
change |
Major (1.0.0 > 2.0.0) | 2021-03-24 14:32:48 | BuiltIn | |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-24 14:32:48 | BuiltIn | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-24 14:32:48 | BuiltIn | |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.1.0 > 3.0.0) | 2021-03-24 14:32:48 | BuiltIn | |
| Migrate | 7590a335-57cf-4c95-babd-ecbc8fafeb1f | Configure Azure Migrate resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, old suffix: preview (2.0.0-preview > 3.0.0) | 2021-03-16 16:49:20 | BuiltIn | |
| Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor, old suffix: preview (1.1.0-preview > 1.2.0) | 2021-03-16 16:49:20 | BuiltIn |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.0) | 2021-03-16 16:49:20 | BuiltIn | |
| Machine Learning | ee40564d-486e-4f68-a5ca-7a621edae0fb | Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Container Registry | d85c6833-7d33-4cf5-a915-aaa2de84405f | Configure Container registries with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2021-03-16 16:49:20 | BuiltIn | |
| Container Registry | 0fdf0491-d080-4575-b627-ad0e843cba0f | Public network access should be disabled for Container registries | Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn | |
| Container Registry | a3701552-92ea-433e-9d17-33b7f1208fc9 | Configure Container registries to disable public network access | Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Machine Learning | 7838fd83-5cbb-4b5d-888c-bfa240972597 | Configure Azure Machine Learning workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-16 16:49:20 | BuiltIn |
| Container Registry | bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 | Container registries should have SKUs that support Private Links | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-16 16:49:20 | BuiltIn | |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-10 14:52:46 | BuiltIn |
| Storage | 970f84d8-71b6-4091-9979-ace7e3fb6dbb | HPC Cache accounts should use customer-managed key for encryption | Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Cache | 7803067c-7d34-46e3-8c79-0ca68fc4036d | Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| SignalR | b0e86710-7fb7-4a6c-a064-32e9b829509e | Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
change |
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | 2021-03-09 14:37:41 | BuiltIn |
| Container Instance | 8af8f826-edcb-4178-b35f-851ea6fea615 | Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Security Center | bdc59948-5574-49b3-bb91-76b7c986428d | [Deprecated]: Azure Defender for DNS should be enabled | This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Modify Allowed Disabled, Modify |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Synapse | 529ea018-6afc-4ed4-95bd-7c9ee47b00bc | Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Logic Apps | dc595cb1-1cde-45f6-8faf-f88874e1c0e1 | Logic Apps should be deployed into Integration Service Environment | Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Network | c251913d-7d24-4958-af87-478ed3b9ba41 | Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Automation | c0c3130e-7dda-4187-aed0-ee4a472eaa60 | Configure private endpoint connections on Azure Automation accounts | Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Search | 9cee519f-d9c1-4fd9-9f79-24ec3449ed30 | Configure Azure Cognitive Search services to disable public network access | Disable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default Modify Allowed Modify, Disabled |
count: 002 •Network Contributor •Search Service Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Internet of Things | d82101f3-f3ce-4fc5-8708-4c09f4009546 | IoT Hub device provisioning service instances should disable public network access | Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Internet of Things | df39c015-56a4-45de-b4a3-efe77bed320d | IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Container Instance | 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 | Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.0 > 6.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.3 > 2.0.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Internet of Things | 9b75ea5b-c796-4c99-aaaf-21c204daac43 | Configure IoT Hub device provisioning service instances with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Cosmos DB | 58440f8a-10c5-4151-bdce-dfbaad4a20b7 | CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Security Center | c3d20c29-b36d-48fe-808b-99a87530ad99 | Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Storage | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Synapse | 3b3b0c27-08d2-4b32-879d-19930bee3266 | Configure Azure Synapse workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Internet of Things | 859dfc91-ea35-43a6-8256-31271c363794 | Configure IoT Hub device provisioning service instances to disable public network access | Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Compute | d461a302-a187-421a-89ac-84acdb4edc04 | Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Search | a049bf77-880b-470f-ba6d-9f21c530cf83 | Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.0 > 6.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Event Hub | b8564268-eb4a-4337-89be-a19db070c59d | Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Automation | 955a914f-bf86-4f0e-acd5-e0766b0efcb6 | Automation accounts should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Service Bus | 7d890f7f-100c-473d-baa1-2777e2266535 | Configure Service Bus namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Service Bus Data Owner •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| SignalR | 464a1620-21b5-448d-8ce6-d4ac6d1bc49a | Azure SignalR Service should use a Private Link enabled SKU | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://aka.ms/asrs/privatelink. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Synapse | 1e5ed725-f16c-478b-bd4b-7bfa2f7940b9 | Configure Azure Synapse workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Search | fbc14a67-53e4-4932-abcc-2049c6706009 | Configure Azure Cognitive Search services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Security Center | 86b3d65f-7626-441e-b690-81a8b71cff60 | System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Storage | 9f766f00-8d11-464e-80e1-4091d7874074 | Configure Storage account to use a private link connection | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •Storage Account Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| SignalR | 62a3ae95-8169-403e-a2d2-b82141448092 | Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •SignalR/Web PubSub Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Event Hub | ed66d4f5-8220-45dc-ab4a-20d1749c74e6 | Configure Event Hub namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| API Management | 73ef9241-5d81-4cd4-b483-8443d1730fe5 | API Management service should use a SKU that supports virtual networks | With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Backup | deeddb44-9f94-4903-9fa0-081d524406e3 | [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Service Bus | 1c06e275-d63d-4540-b761-71f364c2111d | Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Internet of Things | aaa64d2d-2fa3-45e5-b332-0b031b9b30e8 | Configure IoT Hub device provisioning instances to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Cognitive Services | fe3fd216-4f83-4fc1-8984-2bbec80a3418 | Cognitive Services accounts should use a managed identity | Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Search | ee980b6d-0eca-4501-8d54-f6290fd512c3 | Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Synapse | 72d11df1-dd8a-41f7-8925-b05b960ebafc | Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-03-09 14:37:41 | BuiltIn | |
| Cosmos DB | a63cc0bd-cda4-4178-b705-37dc439d3e0f | Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Cosmos DB | da69ba51-aaf1-41e5-8651-607cd0b37088 | Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Modify Allowed Modify, Disabled |
count: 002 •Contributor •DocumentDB Account Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| SignalR | 21a9766a-82a5-4747-abb5-650b6dbba6d0 | Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Automation | 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 | Configure Azure Automation accounts with private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Synapse | 2b18f286-371e-4b80-9887-04759970c0d3 | Synapse workspace auditing settings should have action groups configured to capture critical activities | To ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-09 14:37:41 | BuiltIn |
| Cosmos DB | 797b37f7-06b8-444c-b1ad-fc62867f335a | Azure Cosmos DB should disable public network access | Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Network | 27960feb-a23c-4577-8d36-ef8b5f35e0be | All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Service Bus | f0fcf93c-c063-4071-9668-c47474bd3564 | Configure Service Bus namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Synapse | ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee | Configure Synapse workspaces to have auditing enabled | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •SQL Security Manager •Storage Account Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Cache | 470baccb-7e51-4549-8b1a-3e5be069f663 | Azure Cache for Redis should disable public network access | Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Cosmos DB | b609e813-3156-4079-91fa-a8494c1471c4 | Configure CosmosDB accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •DocumentDB Account Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Storage | 6f8f98a4-f108-47cb-8e98-91a0d85cd474 | [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace | Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-09 14:37:41 | BuiltIn |
| Cache | e016b22b-e0eb-436d-8fd7-160c4eaed6e2 | Configure Azure Cache for Redis to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Cache | 30b3dfa5-a70d-4c8e-bed6-0083858f663d | Configure Azure Cache for Redis to disable public network access | Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. | Default Modify Allowed Modify, Disabled |
count: 001 •Redis Cache Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.0.0 > 6.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Logic Apps | 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5 | Logic Apps Integration Service Environment should be encrypted with customer-managed keys | Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Event Hub | 91678b7c-d721-4fc5-b179-3cdf74e96b1c | Configure Event Hub namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Network Contributor |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn |
| Synapse | e04e5000-cd89-451d-bb21-a14d24ff9c73 | Auditing on Synapse workspace should be enabled | Auditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Internet of Things | 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54 | [Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest | Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-09 14:37:41 | BuiltIn | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-03-09 14:37:41 | BuiltIn | |
| Storage | 7433c107-6db4-4ad1-b57a-a76dce0154a1 | Storage accounts should be limited by allowed SKUs | Restrict the set of storage account SKUs that your organization can deploy. | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2021-03-09 14:37:41 | BuiltIn | |
| Synapse | 3484ce98-c0c5-4c83-994b-c5ac24785218 | Azure Synapse workspaces should allow outbound data traffic only to approved targets | Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Internet of Things | 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb | Public network access on Azure IoT Hub should be disabled | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Compute | d461a302-a187-421a-89ac-84acdb4edc04 | Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Machine Learning | 5f0c7d88-c7de-45b8-ac49-db49e72eaa78 | Azure Machine Learning workspaces should use user-assigned managed identity | Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| SQL | 8e8ca470-d980-4831-99e6-dc70d9f6af87 | Configure Azure SQL Server to enable private endpoint connections | A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •SQL Server Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.2 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Internet of Things | c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 | Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Compute | ca91455f-eace-4f96-be59-e6e2c35b4816 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Automation | 0c2b3618-68a8-4034-a150-ff4abc873462 | Private endpoint connections on Automation Accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| App Configuration | 7a860e27-9ca2-4fc6-822d-c2d248c300df | Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Internet of Things | 0d40b058-9f95-4a19-93e3-9b0330baa2a3 | Private endpoint should be enabled for IoT Hub | Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| App Configuration | 73290fa2-dfa7-4bbb-945d-a5e23b75df2c | Configure App Configuration to disable public network access | Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Automation | 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c | Configure Azure Automation accounts to disable public network access | Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| Internet of Things | 114eec6e-5e59-4bad-999d-6eceeb39d582 | Modify - Configure Azure IoT Hubs to disable public network access | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Compute | fc4d8e41-e223-45ea-9bf5-eada37891d87 | Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| SQL | 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b | Configure Azure SQL Server to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. | Default Modify Allowed Modify, Disabled |
count: 001 •SQL Server Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Storage | b35dddd9-daf7-423b-8375-5a5b86806d5a | Configure Azure File Sync with private endpoints | A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Major (1.0.0 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (3.0.1 > 4.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Major (1.3.0 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn |
| General | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Not allowed resource types | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. | Default Deny Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Storage | 1d320205-c6a1-4ac6-873d-46224024e8e2 | Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Storage | 0e07b2e9-6cd9-4c40-9ccb-52817b95133b | Modify - Configure Azure File Sync to disable public network access | The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). | Default Modify Allowed Modify, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Internet of Things | 47031206-ce96-41f8-861b-6a915f3de284 | [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | 324c7761-08db-4474-9661-d1039abc92ee | [Deprecated]: API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Batch | 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 | Configure Batch accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.3.0 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Major (1.1.0 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Major (1.1.0 > 2.0.0) | 2021-03-02 15:11:40 | BuiltIn |
| Internet of Things | bf684997-3909-404e-929c-d4a38ed23b2e | Deploy - Configure Azure IoT Hubs with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Contributor •Network Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| App Configuration | 614ffa75-862c-456e-ad8b-eaa1b0844b07 | Configure private endpoints for App Configuration | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Storage | 21a8cd35-125e-4d13-b82d-2e19b7208bb7 | Public network access should be disabled for Azure File Sync | Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| HDInsight | b0ab5b05-1c98-40f7-bb9e-dc568e41b501 | Azure HDInsight clusters should be injected into a virtual network | Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn | |
| Storage | 06695360-db88-47f6-b976-7500d4297475 | Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Network Contributor •Private DNS Zone Contributor |
add |
new Policy | 2021-03-02 15:11:40 | BuiltIn |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (5.0.1 > 6.0.0) | 2021-03-02 15:11:40 | BuiltIn | |
| App Configuration | 3d9f5e4c-9947-4579-9539-2a7695fbc187 | App Configuration should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn | |
| Key Vault | 951af2fa-529b-416e-ab6e-066fd85ac459 | Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn |
| Batch | 4ec38ebc-381f-45ee-81a4-acbc4be878f8 | Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn |
| Network | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2021-02-23 16:24:42 | BuiltIn | |
| Batch | 009a0c92-f5b4-4776-9b66-4ed2b4775563 | Private endpoint connections on Batch accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn | |
| Storage | 6f8f98a4-f108-47cb-8e98-91a0d85cd474 | [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace | Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn |
| App Configuration | 89c8a434-18f0-402c-8147-630a8dea54e0 | App Configuration should use a SKU that supports private link | When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2021-02-23 16:24:42 | BuiltIn |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-02-23 16:24:42 | BuiltIn |
| 36f4658a-848a-467b-881c-e6fa20cf75fc | n/a | n/a | remove |
36f4658a-848a-467b-881c-e6fa20cf75fc | 2021-02-22 14:29:52 (i) | BuiltIn | |||
| 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | n/a | n/a | remove |
6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | 2021-02-22 14:29:52 (i) | BuiltIn | |||
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-02-17 14:28:42 | BuiltIn | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Function apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-02-17 14:28:42 | BuiltIn | |
| Key Vault | a6d2c800-5230-4a40-bff3-8268b4987d42 | Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | 1adadefe-5f21-44f7-b931-a59b54ccdb45 | Azure Event Grid topics should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | [Deprecated]: Managed identity should be used in your API App | Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-02-17 14:28:42 | BuiltIn | |
| Monitoring | b3884c81-31aa-473d-a9bb-9466fe0ec2a0 | Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Key Vault | a2a5b911-5617-447e-a49e-59dbe0e0434b | Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Monitoring | 1f68a601-6e6d-4e42-babf-3f643a047ea2 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, old suffix: preview (1.0.2-preview > 1.0.2) | 2021-02-17 14:28:42 | BuiltIn |
| Monitoring | d550e854-df1a-4de9-bf44-cd894b39a95e | Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | App Service apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-02-17 14:28:42 | BuiltIn | |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | f8f774be-6aee-492a-9e29-486ef81f3a68 | Azure Event Grid domains should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Monitoring | fa298e57-9444-42ba-bf04-86e8470e32c7 | Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Event Grid | 898e9824-104c-4965-8e0e-5197588fa5d4 | Modify - Configure Azure Event Grid domains to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled |
count: 001 •EventGrid Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •EventGrid Contributor •Network Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Key Vault | c39ba22d-4428-4149-b981-70acb31fc383 | Azure Key Vault Managed HSM should have purge protection enabled | Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-02-17 14:28:42 | BuiltIn |
| Monitoring | ea0dfaed-95fb-448c-934e-d6e713ce393d | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn | |
| Event Grid | 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 | Modify - Configure Azure Event Grid topics to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled |
count: 001 •EventGrid Contributor |
add |
new Policy | 2021-02-17 14:28:42 | BuiltIn |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-02-17 14:28:42 | BuiltIn | |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2021-02-17 14:28:42 | BuiltIn | |
| General | 0a914e76-4921-4c19-b460-a2d36003525a | Audit resource location matches resource group location | Audit that the resource location matches its resource group location | Fixed audit |
change |
Major (1.0.0 > 2.0.0) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | 7ea8a143-05e3-4553-abfe-f56bef8b0b70 | Configure Azure SQL database servers diagnostic settings to Log Analytics workspace | Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •SQL Security Manager |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn |
| Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| HDInsight | 64d314f6-6062-4780-a861-c23e8951bee5 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-02-10 14:43:58 | BuiltIn | |
| Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed audit, Audit, disabled, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn | |
| Search | b4330a05-a843-4bc8-bf9a-cacce50c67f4 | Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2021-02-10 14:43:58 | BuiltIn |
| Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.1.1 > 1.1.2) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-10 14:43:58 | BuiltIn | |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-02-10 14:43:58 | BuiltIn | |
| Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-02-10 14:43:58 | BuiltIn | |
| Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| SQL | b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Service Bus | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Key Vault | cf820ca0-f99e-4f3e-84fb-66e913812d21 | Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.2 > 1.0.3) | 2021-02-10 14:43:58 | BuiltIn | |
| Stream Analytics | f9be5368-9bf5-4b84-9e0a-7850da98bb46 | Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.1) | 2021-02-10 14:43:58 | BuiltIn | |
| Data Factory | 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 | Public network access on Azure Data Factory should be disabled | Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-03 15:09:01 | BuiltIn | |
| Kubernetes | 41425d9f-d1a5-499a-9932-f8ed8453932c | Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-03 15:09:01 | BuiltIn | |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2021-02-03 15:09:01 | BuiltIn |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2021-02-03 15:09:01 | BuiltIn |
| Automation | 56a5ee18-2ae6-4810-86f7-18e39ce5629b | Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-02-03 15:09:01 | BuiltIn | |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-02-03 15:09:01 | BuiltIn |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-02-03 15:09:01 | BuiltIn |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (5.0.1 > 5.0.2) | 2021-02-03 15:09:01 | BuiltIn | |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-02-03 15:09:01 | BuiltIn | |
| Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-02-03 15:09:01 | BuiltIn | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2021-02-03 15:09:01 | BuiltIn |
| Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-02-03 15:09:01 | BuiltIn | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (2.0.0 > 3.0.0) | 2021-02-03 15:09:01 | BuiltIn |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview) | 2021-01-27 16:54:46 | BuiltIn | |
| Service Bus | 295fc8b1-dc9f-4f53-9c61-3f313ceab40a | Service Bus Premium namespaces should use a customer-managed key for encryption | Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-01-27 16:54:46 | BuiltIn | |
| Batch | 74c5a0ae-5e48-4738-b093-65e23a060488 | Public network access should be disabled for Batch accounts | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-27 16:54:46 | BuiltIn | |
| Event Hub | a1ad735a-e96f-45d2-a7b2-9a4932cab7ec | Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2021-01-27 16:54:46 | BuiltIn | |
| Attestation | 7b256a2d-058b-41f8-bed9-3f870541c40a | Azure Attestation providers should use private endpoints | Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-01-27 16:54:46 | BuiltIn | |
| Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-01-27 16:54:46 | BuiltIn | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-01-27 16:54:46 | BuiltIn | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-27 16:54:46 | BuiltIn | |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default Audit Allowed Audit, Disabled |
change |
Patch, old suffix: preview (1.0.1-preview > 1.0.2) | 2021-01-27 16:54:46 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-01-27 16:54:46 | BuiltIn | |
| HDInsight | d9da03a1-f3c3-412a-9709-947156872263 | Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn | |
| Security Center | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-01-22 09:14:53 | BuiltIn | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2021-01-22 09:14:53 | BuiltIn | |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn | |
| HDInsight | 64d314f6-6062-4780-a861-c23e8951bee5 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn | |
| Synapse | 0049a6b3-a662-4f3e-8635-39cf44ace45a | Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn | |
| HDInsight | 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 | Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn | |
| Security Center | b4d66858-c922-44e3-9566-5cdb7a7be744 | [Deprecated]: A security contact phone number should be provided for your subscription | Enter a phone number to receive notifications when Azure Security Center detects compromised resources - This policy is deprecated because phone numbers are no longer used in any scenario by Azure Security Center | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2021-01-22 09:14:53 | BuiltIn | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2021-01-22 09:14:53 | BuiltIn | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default Modify Allowed Modify, Disabled |
count: 003 •Managed Identity Contributor •Managed Identity Operator •Virtual Machine Contributor |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-01-22 09:14:53 | BuiltIn | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2021-01-22 09:14:53 | BuiltIn | |
| Security Center | 760a85ff-6162-42b3-8d70-698e268f648c | [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | 2021-01-22 09:14:53 | BuiltIn | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2021-01-22 09:14:53 | BuiltIn |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2021-01-13 16:08:35 | BuiltIn | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2021-01-13 16:08:35 | BuiltIn | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-01-13 16:08:35 | BuiltIn | |
| Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-13 16:08:35 | BuiltIn | |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default Deny Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | [Deprecated]: External accounts with read permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Monitoring | 6fc8115b-2008-441f-8c61-9b722c1e537f | Workbooks should be saved to storage accounts that you control | With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos | Default Audit Allowed deny, Deny, audit, Audit, disabled, Disabled |
add |
new Policy | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 | [Deprecated]: Sensitive data in your SQL databases should be classified | Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | 2021-01-05 16:06:49 | BuiltIn | |
| Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 760a85ff-6162-42b3-8d70-698e268f648c | [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 86b3d65f-7626-441e-b690-81a8b71cff60 | System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | e3576e28-8b17-4677-84c3-db2990658d64 | [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | af6cd1bd-1635-48cb-bde7-5b15693900b9 | Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 4f11b553-d42e-4e3a-89be-32ca364cad4c | A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | [Deprecated]: External accounts with write permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | e8cbc669-f12d-49eb-93e7-9273119e9933 | Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 26a828e1-e88f-464e-bbb3-c134a282b9de | Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (3.0.0 > 4.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 9daedab3-fb2d-461e-b861-71790eead4f6 | All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.1 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2021-01-05 16:06:49 | BuiltIn | |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Configure Azure Defender to be enabled on SQL servers | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Fixed DeployIfNotExists |
count: 001 •SQL Security Manager |
change |
Major (1.1.0 > 2.0.0) | 2021-01-05 16:06:49 | BuiltIn |
| Security Center | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | [Deprecated]: Deprecated accounts should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | aa633080-8b72-40c4-a2d7-d00c03e80bed | [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | f8456c1c-aa66-4dfb-861a-25d127b775c9 | [Deprecated]: External accounts with owner permissions should be removed from your subscription | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 22730e10-96f6-4aac-ad84-9383d35b5917 | Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2021-01-05 16:06:49 | BuiltIn | |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (3.0.1-deprecated > 4.0.1-deprecated) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2020-12-11 15:42:52 | BuiltIn |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2020-12-11 15:42:52 | BuiltIn | |
| Data Box | c349d81b-9985-44ae-a8da-ff98d108ede8 | Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
Major (1.0.0 > 2.0.0) | 2020-12-11 15:42:52 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | [Deprecated]: Azure SignalR Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | 475aae12-b88a-4572-8b36-9b712b2b3a17 | Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 0d134df8-db83-46fb-ad72-fe0c9428c8dd | [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Storage | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (2.0.1 > 3.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | 2020-12-11 15:42:52 | BuiltIn | |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.1.0 > 1.1.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Data Box | 86efb160-8de7-451d-bc08-5d475b0aadae | Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (1.0.1 > 2.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| SQL | 048248b0-55cd-46da-b1ff-39efd52db260 | [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2020-12-11 15:42:52 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major (4.0.1 > 5.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-12-11 15:42:52 | BuiltIn | |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (2.0.0 > 2.0.1) | 2020-11-17 14:39:37 | BuiltIn | |
| Synapse | 56fd377d-098c-4f02-8406-81eb055902b8 | IP firewall rules on Azure Synapse workspaces should be removed | Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn | |
| Tags | 61a4d60b-7326-440e-8051-9f94394d4dd1 | Add or replace a tag on subscriptions | Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | Fixed modify |
count: 001 •Tag Contributor |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn |
| Synapse | 2d9dbfa3-927b-4cf0-9d0f-08747f971650 | Managed workspace virtual network on Azure Synapse workspaces should be enabled | Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn | |
| Synapse | 72d11df1-dd8a-41f7-8925-b05b960ebafc | Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn | |
| Synapse | f7d52b2d-e161-4dfa-a82b-55e564167385 | Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn | |
| Tags | 96d9a89c-0d67-41fc-899d-2b9599f76a24 | Add a tag to subscriptions | Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | Fixed modify |
count: 001 •Tag Contributor |
add |
new Policy | 2020-11-17 14:39:37 | BuiltIn |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn |
| Stream Analytics | 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2020-11-10 16:00:42 | BuiltIn | |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2020-11-10 16:00:42 | BuiltIn | |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
Major (1.2.0 > 2.0.0) | 2020-11-10 16:00:42 | BuiltIn |
| Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Synapse | 3a003702-13d2-4679-941b-937e58c443f0 | Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants | Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2020-11-10 16:00:42 | BuiltIn |
| API for FHIR | 1ee56206-5dd1-42ab-b02d-8aae8b1634ce | Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Portal | 04c655fe-0ac7-48ae-9a32-3a2e208c7624 | Shared dashboards should not have markdown tiles with inline content | Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Azure Data Explorer | 81e74cea-30fd-40d5-802f-d72103c2aaaa | Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Security Center | 80e94a21-c6cd-4c95-a2c7-beb5704e61c0 | Deploy - Configure suppression rules for Azure Security Center alerts | Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. | Fixed deployIfNotExists |
count: 001 •Security Admin |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Major, suffix remains equal (1.0.1-preview > 2.0.0-preview) | 2020-11-10 16:00:42 | BuiltIn | |
| Azure Data Explorer | 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 | Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-11-10 16:00:42 | BuiltIn | |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Major (1.2.0 > 2.0.0) | 2020-11-10 16:00:42 | BuiltIn |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-27 14:12:45 | BuiltIn | |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled, Deny |
change |
Patch (1.0.0 > 1.0.1) | 2020-10-27 14:12:45 | BuiltIn | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2020-10-27 14:12:45 | BuiltIn | |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Configure Azure Defender to be enabled on SQL servers | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Fixed DeployIfNotExists |
count: 001 •SQL Security Manager |
change |
Minor (1.0.0 > 1.1.0) | 2020-10-27 14:12:45 | BuiltIn |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-10-27 14:12:45 | BuiltIn | |
| SQL | a8793640-60f7-487c-b5c3-1d37215905c4 | SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2020-10-27 14:12:45 | BuiltIn | |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2020-10-27 14:12:45 | BuiltIn | |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed audit, Audit, disabled, Disabled |
add |
new Policy | 2020-10-27 14:12:45 | BuiltIn | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2020-10-27 14:12:45 | BuiltIn | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (2.0.0 > 3.0.0) | 2020-10-27 14:12:45 | BuiltIn | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2020-10-23 13:31:09 | BuiltIn | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-23 13:31:09 | BuiltIn | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.1 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-20 13:29:33 | BuiltIn | |
| SQL | 24fba194-95d6-48c0-aea7-f65bf859c598 | Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.1.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Major (1.0.0 > 2.0.0) | 2020-10-20 13:29:33 | BuiltIn | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
add |
new Policy | 2020-10-20 13:29:33 | BuiltIn |
| SQL | 3a58212a-c829-4f13-9872-6371df2fd0b4 | Infrastructure encryption should be enabled for Azure Database for MySQL servers | Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-20 13:29:33 | BuiltIn | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 75c4f823-d65c-4f29-a733-01d0077fdbcb | Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 5ff38825-c5d8-47c5-b70e-069a21955146 | Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 587c79fe-dd04-4a5e-9d0b-f89598c7261b | Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | b0eb591a-5e70-4534-a8bf-04b9c489584a | Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 82067dbb-e53b-4e06-b631-546d197452d9 | Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 342e8053-e12e-4c44-be01-c3c2f318400f | Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | e8d99835-8a06-45ae-a8e0-87a91941ccfe | Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 49a22571-d204-4c91-a7b6-09b1a586fbc9 | Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| Key Vault | ff25f3c8-b739-4538-9d07-3d6d25cfb255 | Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-16 12:27:50 | BuiltIn | |
| 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | n/a | n/a | remove |
6fdb9205-3462-4cfc-87d8-16c7860b53f4 | 2020-10-15 14:28:11 (i) | BuiltIn | |||
| e01598e8-6538-41ed-95e8-8b29746cd697 | n/a | n/a | remove |
e01598e8-6538-41ed-95e8-8b29746cd697 | 2020-10-15 14:28:11 (i) | BuiltIn | |||
| Lighthouse | 7a8a51a3-ad87-4def-96f3-65a1839242b6 | Allow managing tenant ids to onboard through Azure Lighthouse | Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. | Fixed deny |
change |
Patch (1.0.0 > 1.0.1) | 2020-10-13 13:23:36 | BuiltIn | |
| Storage | 4733ea7b-a883-42fe-8cac-97454c2a9e4a | Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-10-07 16:00:33 | BuiltIn | |
| Lighthouse | 7a8a51a3-ad87-4def-96f3-65a1839242b6 | Allow managing tenant ids to onboard through Azure Lighthouse | Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. | Fixed deny |
add |
new Policy | 2020-09-30 14:32:32 | BuiltIn | |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn |
| Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn | |
| Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-16 13:09:49 | BuiltIn |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed deployIfNotExists |
count: 001 •Guest Configuration Resource Contributor |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2020-09-15 14:06:41 | BuiltIn |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-15 14:06:41 | BuiltIn | |
| SQL | b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 4221adbc-5c0f-474f-88b7-037a99e6114c | Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Security Center | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 | [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Deprecated]: Private endpoint should be configured for Key Vault | The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Security Center | 6646a0bd-e110-40ca-bb97-84fcee63c414 | [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates | [Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | bf16e0bb-31e1-4646-8202-60a235cc7e74 | Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 84662df4-0e37-44a6-9ce1-c9d2150db18c | Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Managed Application | 9db7917b-1607-4e7d-a689-bca978dd0633 | Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default Deny Allowed Deny, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | d7ccd0ca-8d78-42af-a43d-6b7f928accbc | [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | ebb67efd-3c46-49b0-adfe-5599eb944998 | Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 630ac30f-a234-4533-ac2d-e0df77acda51 | Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 9f658460-46b7-43af-8565-94fc0662be38 | [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 1417908b-4bff-46ee-a2a6-4acc899320ab | Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 6265018c-d7e2-432f-a75d-094d5f6f4465 | Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 60ffe3e2-4604-4460-8f22-0f1da058266c | [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 32b1e4d4-6cd5-47b4-a935-169da8a5c262 | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | beb6ccee-b6b8-4e91-9801-a5fa4260a104 | Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | da0f98fe-a24b-4ad5-af69-bd0400233661 | Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | c21f7060-c148-41cf-a68b-0ab3e14c764c | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Security Center | d62cfe2b-3ab0-4d41-980d-76803b58ca65 | [Deprecated]: Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Security Center | 5a913c68-0590-402c-a531-e57e19379da3 | [Deprecated]: Operating system version should be the most current version for your cloud service roles | Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | b2fc8f91-866d-4434-9089-5ebfe38d6fd8 | [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | c5b85cba-6e6f-4de4-95e1-f0233cd712ac | Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | a29ee95c-0395-4515-9851-cc04ffe82a91 | [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Security Center | a4fe33eb-e377-4efb-ab31-0784311bc499 | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | c96f3246-4382-4264-bf6b-af0b35e23c3c | [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot | This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 7a031c68-d6ab-406e-a506-697a19c634b0 | [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled | This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a | [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 7e56b49b-5990-4159-a734-511ea19b731c | [Deprecated]: Show audit results from Windows VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 315c850a-272d-4502-8935-b79010405970 | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | Fixed auditIfNotExists |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | f0633351-c7b2-41ff-9981-508fc08553c2 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| Guest Configuration | 8b0de57a-f511-4d45-a277-17cb79cb163b | [Deprecated]: Show audit results from Windows VMs with a pending reboot | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn | |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-09-09 11:24:03 | BuiltIn |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-09-02 14:03:46 | BuiltIn | |
| 84ce0900-69cd-4b5e-b676-0b5a66d027c9 | n/a | n/a | remove |
84ce0900-69cd-4b5e-b676-0b5a66d027c9 | 2020-08-31 13:45:20 (i) | BuiltIn | |||
| Guest Configuration | e0efc13a-122a-47c5-b817-2ccfe5d12615 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy | This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-27 15:39:26 | BuiltIn |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | [Deprecated]: Azure Machine Learning workspaces should use private link | This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Network | c251913d-7d24-4958-af87-478ed3b9ba41 | Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Guest Configuration | 90ba2ee7-4ca8-4673-84d1-c851c50d3baf | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-27 15:39:26 | BuiltIn |
| 84ce0900-69cd-4b5e-b676-0b5a66d027c9 | Fixed |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | ||||
| Guest Configuration | 16f9b37c-4408-4c30-bc17-254958f2e2d6 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn |
| Guest Configuration | f8036bd0-c10b-4931-86bb-94a878add855 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-08-27 15:39:26 | BuiltIn | |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-08-20 14:05:01 | BuiltIn | |
| Security Center | 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-08-19 13:49:29 | BuiltIn | |
| Security Center | fb893a29-21bb-418c-a157-e99480ec364c | Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-08-19 13:49:29 | BuiltIn | |
| App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2020-08-19 13:49:29 | BuiltIn | |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-19 13:49:29 | BuiltIn | |
| Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-08-19 13:49:29 | BuiltIn | |
| Storage | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-08-18 14:06:57 | BuiltIn | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-08-18 14:06:57 | BuiltIn | |
| Storage | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-08-18 14:06:57 | BuiltIn | |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn | |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-08-05 13:05:29 | BuiltIn | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-07-17 15:57:10 | BuiltIn |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-07-17 15:57:10 | BuiltIn |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-07-17 15:57:10 | BuiltIn |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-07-17 15:57:10 | BuiltIn |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| SQL | a8793640-60f7-487c-b5c3-1d37215905c4 | SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | [Deprecated]: Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | [Deprecated]: Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-14 15:28:17 | BuiltIn | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | 425bea59-a659-4cbb-8d31-34499bd030b8 | Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default Deny Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| SQL | 77e8b146-0078-4fb2-b002-e112381199f0 | Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | Fixed AuditIfNotExists |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default Deny Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Network | 12430be1-6cc8-4527-a9a8-e3d38f250096 | Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-07-08 14:28:08 | BuiltIn | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | [Deprecated]: Azure SignalR Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | 9677b740-f641-4f3c-b9c5-466005c85278 | [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Default Audit Allowed Audit, Disabled, Deny |
add |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | e756b945-1b1b-480b-8de8-9a0859d5f7ad | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings | It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | bda18df3-5e41-4709-add9-2554ce68c966 | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings | It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-07-01 14:50:07 | BuiltIn | |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-30 14:58:19 | BuiltIn | |
| 497dff13-db2a-4c0f-8603-28fa3b331ab6 | n/a | n/a | remove |
497dff13-db2a-4c0f-8603-28fa3b331ab6 | 2020-06-29 05:46:45 (i) | BuiltIn | |||
| 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | n/a | n/a | remove |
3cf2ab00-13f1-4d0c-8971-2ac904541a7e | 2020-06-29 05:46:45 (i) | BuiltIn | |||
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-29 05:46:45 | BuiltIn |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-29 05:46:45 | BuiltIn |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | [Deprecated]: Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Security Center | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default Audit Allowed audit, Audit, disabled, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | [Deprecated]: Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default Disabled Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn |
| Security Center | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-23 16:03:25 | BuiltIn | |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-06-22 16:06:25 | BuiltIn |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-06-22 16:06:25 | BuiltIn |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-11 19:46:04 | BuiltIn | |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-11 19:46:04 | BuiltIn | |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | [Deprecated]: Cognitive Services accounts should enable data encryption | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | [Deprecated]: Azure SignalR Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 001 •Contributor |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-06-09 16:25:53 | BuiltIn | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-08 18:42:36 | BuiltIn | |
| SQL | abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-08 18:42:36 | BuiltIn | |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-08 18:42:36 | BuiltIn | |
| SQL | 1b7aa243-30e4-4c9e-bca8-d0d3022b634a | Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-08 18:42:36 | BuiltIn | |
| Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2020-06-01 18:36:18 | BuiltIn | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed append |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Disabled |
change |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Azure Ai Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2020-05-29 15:39:09 | BuiltIn |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2020-05-21 16:06:38 | BuiltIn |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-05-21 16:06:38 | BuiltIn | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn | |
| Security Center | 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn | |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default enforceSetting Allowed enforceSetting, disabled |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn | |
| Security Center | 6df2fee6-a9ed-4fef-bced-e13be1b25f1c | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2020-05-13 05:56:52 | BuiltIn |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default Audit Allowed Audit, Deny, Disabled |
change |
new Policy | 2020-05-09 14:57:51 | BuiltIn | |
| Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed Deny |
change |
new Policy | 2020-05-09 14:57:51 | BuiltIn | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | MySQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-04-28 14:50:57 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2020-04-23 15:06:19 | BuiltIn | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn | |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn | |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn |
| Monitoring | f47b5582-33ec-4c5c-87c0-b010a6b2e917 | Virtual machines should be connected to a specified workspace | Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-04-22 04:43:16 | BuiltIn | |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2020-03-17 09:22:59 | BuiltIn | |
| Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-03-17 09:22:59 | BuiltIn |
| Network | fc5e4038-4584-4632-8c85-c0448d374b2c | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-03-17 09:22:59 | BuiltIn | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-03-17 09:22:59 | BuiltIn | |
| Guest Configuration | 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 | [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-03-17 09:22:59 | BuiltIn | |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-03-17 09:22:59 | BuiltIn | |
| Tags | 1e30110a-5ceb-460c-a204-c1c3969c6d62 | Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | Fixed deny |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 | Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed append |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 8ce3da23-7156-49e4-b145-24f95f9dcb46 | Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | Fixed deny |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 871b6d14-10aa-478d-b590-94f262ecfa99 | Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | Fixed deny |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 2a0e14a6-b0a6-4fab-991a-187a4f81c498 | Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed append |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 96670d01-0a4d-4649-9c89-2d3abc0a5025 | Require a tag on resource groups | Enforces existence of a tag on resource groups. | Fixed deny |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Tags | 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d | Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed append |
change |
new Policy | 2020-03-10 16:29:49 | BuiltIn | |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn | |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Virtual Machine Contributor |
change |
new Policy | 2020-02-29 21:43:10 | BuiltIn |
| SQL | 3c14b034-bcb6-4905-94e7-5b8e98a47b65 | PostgreSQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| SQL | 3375856c-3824-4e0e-ae6a-79e011dd4c47 | MySQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| SQL | 7595c971-233d-4bcf-bd18-596129188c49 | Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| SQL | 0a1302fb-a631-4106-9753-f3d494733990 | Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| SQL | dfbd9a64-6114-48de-a47d-90574dc2e489 | MariaDB server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| SQL | 0564d078-92f5-4f97-8398-b9f58a51f70b | Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-27 09:26:21 | BuiltIn | |
| Security Center | 1a833ff1-d297-4a0f-9944-888428f8e0ff | [Deprecated]: Access to App Services should be restricted | Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-02-25 11:29:35 | BuiltIn | |
| Tags | b27a0cbd-a167-4dfa-ae64-4337be671140 | Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-02-20 08:25:18 | BuiltIn |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-02-20 08:25:18 | BuiltIn | |
| Tags | 40df99da-1232-49b1-a39a-6da8d878f469 | Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed modify |
count: 001 •Contributor |
add |
new Policy | 2020-02-20 08:25:18 | BuiltIn |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed deployIfNotExists |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn | |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn | |
| App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-02-12 02:52:44 | BuiltIn | |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed auditIfNotExists |
change |
new Policy | 2020-02-08 03:50:24 | BuiltIn | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-02-08 03:50:24 | BuiltIn | |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2020-02-08 03:50:24 | BuiltIn |
| Monitoring | 3b980d31-7904-4bb7-8575-5665739a8052 | An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn | |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn | |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | [Deprecated]: SSH access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn | |
| Monitoring | b954148f-4c11-4c38-8221-be76711e194a | An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn | |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | [Deprecated]: RDP access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn | |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | Fixed deployIfNotExists |
count: 001 •Security Admin |
add |
new Policy | 2020-01-29 21:53:30 | BuiltIn |
| Security Center | a8bef009-a5c9-4d0f-90d7-6018734e8a16 | [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center | Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-29 05:56:46 | BuiltIn | |
| Security Center | af8051bf-258b-44e2-a2bf-165330459f9d | [Deprecated]: Monitor unaudited SQL servers in Azure Security Center | SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-29 05:56:46 | BuiltIn | |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-10 16:39:23 | BuiltIn | |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-10 16:39:23 | BuiltIn | |
| SQL | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-10 16:39:23 | BuiltIn | |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2020-01-10 16:39:23 | BuiltIn | |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists |
count: 001 •Contributor |
change |
new Policy | 2019-12-17 15:43:46 | BuiltIn |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-12-11 09:18:30 | BuiltIn | |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-12-11 09:18:30 | BuiltIn | |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | [Deprecated]: Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-12-11 09:18:30 | BuiltIn | |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed deployIfNotExists |
count: 001 •Guest Configuration Resource Contributor |
change |
new Policy | 2019-12-11 09:18:30 | BuiltIn |
| Monitoring | fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 | Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-12-11 09:18:30 | BuiltIn | |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-12-11 09:18:30 | BuiltIn | |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-27 16:06:41 | BuiltIn | |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-27 16:06:41 | BuiltIn | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
new Policy | 2019-11-19 11:26:09 | BuiltIn | |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Default Disabled Allowed Audit, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| e567365d-4228-430f-ac39-7d5d46e617ac | n/a | n/a | remove |
e567365d-4228-430f-ac39-7d5d46e617ac | 2019-11-12 19:11:12 (i) | BuiltIn | |||
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default EnforceRegoPolicy Allowed EnforceRegoPolicy, Disabled |
change |
new Policy | 2019-11-12 19:11:12 | BuiltIn | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-11-02 10:12:34 | BuiltIn | |
| Monitoring | e8d096bc-85de-4c5f-8cfb-857bd1b9d62d | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | ef7b61ef-b8e4-4c91-8e78-6946c6b0023f | Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | 6b51af03-9277-49a9-a3f8-1c69c9ff7403 | Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | db51110f-0865-4a6e-b274-e2e07a5b2cd7 | Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | 25763a0a-5783-4f14-969e-79d4933eb74b | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | 4daddf25-4823-43d4-88eb-2419eb6dcc08 | Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | [Deprecated]: Latest TLS version should be used in your API App | Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| e567365d-4228-430f-ac39-7d5d46e617ac | Fixed |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | ||||
| Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | 3d5da587-71bd-41f5-ac95-dd3330c2d58d | Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| SQL | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Managed Application | 17763ad9-70c0-4794-9397-53d765932634 | Deploy associations for a managed application | Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | a1dae6c7-13f3-48ea-a149-ff8442661f60 | Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed deployIfNotExists |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | [Deprecated]: Managed identity should be used in your API App | Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | App Service apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| SQL | 48af4db5-9b8b-401c-8e74-076be876a430 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | edf3780c-3d70-40fe-b17e-ab72013dafca | Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| SQL | 82339799-d096-41ae-8538-b108becf0970 | Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Lighthouse | 76bed37b-484f-430f-a009-fd7592dff818 | Audit delegation of scopes to a managing tenant | Audit delegation of scopes to a managing tenant via Azure Lighthouse. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Storage | bf045164-79ba-4215-8f95-f8048dc1780b | Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Function apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | [Deprecated]: FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-29 23:04:36 | BuiltIn | |
| SQL | 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf | [Deprecated]: Require SQL Server version 12.0 | This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. | Fixed Deny |
change |
new Policy | 2019-10-29 21:52:54 | BuiltIn | |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | ae5d2f14-d830-42b6-9899-df6cfe9c71a3 | SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | d416745a-506c-48b6-8ab1-83cb814bcaa3 | Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | c4857be7-912a-4c75-87e6-e30292bcdf78 | [Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | ea4d6841-2173-4317-9747-ff522a45120f | Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | 235359c5-7c52-4b82-9055-01c75cf9f60e | [Deprecated]: Service Bus should use a virtual network service endpoint | This policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | d63edb4a-c612-454d-b47d-191a724fcbf0 | Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 | Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | f1776c76-f58c-4245-a8d0-2b207198dc8b | Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| Network | 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 | Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2019-10-11 00:02:54 | BuiltIn | |
| General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| e01598e8-6538-41ed-95e8-8b29746cd697 | Fixed |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | ||||
| Tags | cd8dc879-a2ae-43c3-8211-1877c5755064 | [Deprecated]: Allow resource creation if 'department' tag set | Allows resource creation only if the 'department' tag is set | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | Fixed |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | ||||
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs | This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn |
| SQL | 06a78e20-9358-41c9-923c-fb736d382a12 | [Deprecated]: Audit SQL DB Level Audit Setting | Audit DB level audit setting for SQL databases | Fixed AuditIfNotExists |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| Security Center | abcc6037-1fc4-47f6-aac5-89706589be24 | [Deprecated]: Automatic provisioning of security monitoring agent | Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. | Fixed AuditIfNotExists |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| Tags | ac7e5fc0-c029-4b12-91d4-a8500ce697f9 | [Deprecated]: Allow resource creation if 'environment' tag value in allowed values | Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging | Fixed Deny |
change |
new Policy | 2019-10-08 15:55:12 | BuiltIn | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d | Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-03 22:58:00 | BuiltIn | |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-03 22:58:00 | BuiltIn | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 | Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-03 22:58:00 | BuiltIn | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 | Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-03 22:58:00 | BuiltIn | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 | Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2019-10-03 22:58:00 | BuiltIn |