AzInitiativeAdvertizer

last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

NIST SP 800-171 Rev. 2

Name

NIST SP 800-171 Rev. 2
Azure Portal

03055927-78bd-4236-86c0-f36125a10dc9

Version

15.0.0
details on versioning

Category

Regulatory Compliance
Microsoft docs

Description

The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171

Type

BuiltIn

Deprecated

False

Preview

False

History

Date/Time (UTC ymd) (i)	Changes
2022-09-16 16:31:45	add Policy Define information system account types (623b5f0a-8cbd-03a6-4892-201d27302f0c) add Policy Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f) add Policy Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344) add Policy Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59) add Policy Review administrator assignments weekly (f27a298f-9443-014a-0d40-fef12adf0259) add Policy Establish electronic signature and certificate requirements (6f3866e8-6e12-69cf-788c-809d426094a1) add Policy Automate proposed documented changes (5c40f27b-6791-18c5-3f85-7b863bd99c11) add Policy Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c) add Policy Develop security safeguards (423f6d9c-0c73-9cc6-64f4-b52242490368) add Policy Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2) add Policy Implement an insider threat program (35de8462-03ff-45b3-5746-9d4603c74c56) add Policy Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc) add Policy Establish security requirements for the manufacturing of connected devices (afbecd30-37ee-a27b-8e09-6ac49951a0ee) add Policy Separate duties of individuals (60ee1260-97f0-61bb-8155-5d8b75743655) add Policy Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198) add Policy Implement privileged access for executing vulnerability scanning activities (5b802722-71dd-a13d-2e7e-231e09589efb) add Policy Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7) add Policy Restrict unauthorized software and firmware installation (4ee5975d-2507-5530-a20a-83a725889c6f) add Policy View and configure system diagnostic data (0123edae-3567-a05a-9b05-b53ebe9d3e7e) add Policy Monitor privileged role assignment (ed87d27a-9abf-7c71-714c-61d881889da4) add Policy Establish a password policy (d8bbd80e-3bb1-5983-06c2-428526ec6a63) add Policy Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b) add Policy Review changes for any unauthorized changes (c246d146-82b0-301f-32e7-1065dcd248b7) add Policy Establish terms and conditions for processing resources (5715bf33-a5bd-1084-4e19-bc3c83ec1c35) add Policy Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841) add Policy Discover any indicators of compromise (07b42fb5-027e-5a3c-4915-9d9ef3020ec7) add Policy Reauthenticate or terminate a user session (d6653f89-7cb5-24a4-9d71-51581038231b) add Policy Establish voip usage restrictions (68a39c2b-0f17-69ee-37a3-aa10f9853a08) add Policy Explicitly notify use of collaborative computing devices (62fa14f0-4cbe-762d-5469-0899a99b98aa) add Policy Clear personnel with access to classified information (c42f19c9-5d88-92da-0742-371a0ea03126) add Policy Obscure feedback information during authentication process (1ff03f2a-974b-3272-34f2-f6cd51420b30) add Policy Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444) add Policy Disable authenticators upon termination (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10) add Policy Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519) add Policy Designate authorized personnel to post publicly accessible information (b4512986-80f5-1656-0c58-08866bd2673a) add Policy Automate process to document implemented changes (43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8) add Policy Automate approval request for proposed changes (575ed5e8-4c29-99d0-0e4d-689fb1d29827) add Policy Provide capability to process customer-controlled audit records (21633c09-804e-7fcd-78e3-635c6bfe2be7) add Policy Establish and maintain an asset inventory (27965e62-141f-8cca-426f-d09514ee5216) add Policy Route traffic through managed network access points (bab9ef1d-a16d-421a-822d-3fa94e808156) add Policy Enforce a limit of consecutive failed login attempts (b4409bff-2287-8407-05fd-c73175a68302) add Policy Develop POA&M (477bd136-7dd9-55f8-48ac-bae096b86a07) add Policy Ensure authorized users protect provided authenticators (37dbe3dc-0e9c-24fa-36f2-11197cbfa207) add Policy Coordinate contingency plans with related plans (c5784049-959f-6067-420c-f4cefae93076) add Policy Authorize, monitor, and control usage of mobile code technologies (291f20d4-8d93-1d73-89f3-6ce28b825563) add Policy Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b) add Policy Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42) add Policy Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13) add Policy Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93) add Policy Implement incident handling (433de59e-7a53-a766-02c2-f80f8421469a) add Policy Review controlled folder access events (f48b60c6-4b37-332f-7288-b6ea50d300eb) add Policy Execute actions in response to information spills (ba78efc6-795c-64f4-7a02-91effbd34af9) add Policy Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e) add Policy Review content prior to posting publicly accessible information (9e3c505e-7aeb-2096-3417-b132242731fc) add Policy Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d) add Policy Maintain list of authorized remote maintenance personnel (4ce91e4e-6dab-3c46-011a-aa14ae1561bf) add Policy Protect special information (a315c657-4a00-8eba-15ac-44692ad24423) add Policy Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd) add Policy Require use of individual authenticators (08ad71d0-52be-6503-4908-e015460a16ae) add Policy Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce) add Policy Review file and folder activity (ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba) add Policy Maintain integrity of audit system (c0559109-6a27-a217-6821-5a6d44f92897) add Policy Update information security policies (5226dee6-3420-711b-4709-8e675ebd828f) add Policy Perform a privacy impact assessment (d18af1ac-0086-4762-6dc8-87cdded90e39) add Policy Control physical access (55a7f9a0-6397-7589-05ef-5ed59a8149e7) add Policy Manage nonlocal maintenance and diagnostic activities (1fb1cb0e-1936-6f32-42fd-89970b535855) add Policy Protect audit information (0e696f5a-451f-5c15-5532-044136538491) add Policy Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a) add Policy Prevent identifier reuse for the defined time period (4781e5fd-76b8-7d34-6df3-a0a7fca47665) add Policy Assign system identifiers (f29b17a4-0df2-8a50-058a-8570f9979d28) add Policy Refresh authenticators (3ae68d9a-5696-8c32-62d3-c6f9c52e437c) add Policy Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34) add Policy Review publicly accessible content for nonpublic information (b5244f81-6cab-3188-2412-179162294996) add Policy Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734) add Policy Establish requirements for audit review and reporting (b3c8cc83-20d3-3890-8bc8-5568777670f4) add Policy Implement security engineering principles of information systems (df2e9507-169b-4114-3a52-877561ee3198) add Policy Review role group changes weekly (70fe686f-1f91-7dab-11bf-bca4201e183b) add Policy Develop and maintain a vulnerability management standard (055da733-55c6-9e10-8194-c40731057ec4) add Policy Enforce security configuration settings (058e9719-1ff9-3653-4230-23f76b6492e0) add Policy Implement personnel screening (e0c480bf-0d68-a42d-4cbb-b60f851f8716) add Policy Conduct a security impact analysis (203101f5-99a3-1491-1b56-acccd9b66a9e) add Policy Reevaluate access upon personnel transfer (e89436d8-6a93-3b62-4444-1d2a42ad56b2) add Policy Review account provisioning logs (a830fe9e-08c9-a4fb-420c-6f6bf1702395) add Policy Manage a secure surveillance camera system (f2222056-062d-1060-6dc2-0107a68c34b2) add Policy Perform audit for configuration change control (1282809c-9001-176b-4a81-260a085f4872) add Policy Use dedicated machines for administrative tasks (b8972f60-8d77-1cb8-686f-9c9f4cdd8a59) add Policy Provide security training for new users (1cb7bf71-841c-4741-438a-67c65fdd7194) add Policy Restrict access to privileged accounts (873895e8-0e3a-6492-42e9-22cd030e9fcd) add Policy Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) add Policy Implement an automated configuration management tool (33832848-42ab-63f3-1a55-c0ad309d44cd) add Policy Define mobile device requirements (9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4) add Policy Protect against and prevent data theft from departing employees (80a97208-264e-79da-0cc7-4fca179a0c9c) add Policy Train personnel on disclosure of nonpublic information (97f0d974-1486-01e2-2088-b888f46c0589) add Policy Establish backup policies and procedures (4f23967c-a74b-9a09-9dc2-f566f61a87b9) add Policy Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7) add Policy Authorize remote access to privileged commands (01c387ea-383d-4ca9-295a-977fab516b03) add Policy Coordinate with external organizations to achieve cross org perspective (d4e6a629-28eb-79a9-000b-88030e4823ca) add Policy Provide real-time alerts for audit event failures (0f4fa857-079d-9d3d-5c49-21f616189e03) add Policy Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65) add Policy Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c) add Policy Establish an information security program (84245967-7882-54f6-2d34-85059f725b47) add Policy Enforce random unique session identifiers (c7d57a6a-7cc2-66c0-299f-83bf90558f5d) add Policy Maintain records of processing of personal data (92ede480-154e-0e22-4dca-8b46a74a3a51) add Policy Provide periodic security awareness training (516be556-1353-080d-2c2f-f46f000d5785) add Policy Automate process to prohibit implementation of unapproved changes (7d10debd-4775-85a7-1a41-7e128e0e8c50) add Policy Govern compliance of cloud service providers (5c33538e-02f8-0a7f-998b-a4c1e22076d3) add Policy Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c) add Policy Develop security assessment plan (1c258345-5cd4-30c8-9ef3-5ee4dd5231d6) add Policy Establish a configuration control board (7380631c-5bf5-0e3a-4509-0873becd8a63) add Policy Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e) add Policy Enforce appropriate usage of all accounts (fd81a1b3-2d7a-107c-507e-29b87d040c19) add Policy Compile Audit records into system wide audit (214ea241-010d-8926-44cc-b90a96d52adc) add Policy Document and implement wireless access guidelines (04b3e7f6-4841-888d-4799-cda19a0084f6) add Policy Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06) add Policy Use privileged identity management (e714b481-8fac-64a2-14a9-6f079b2501a4) add Policy Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7) add Policy Information flow control using security policy filters (13ef3484-3a51-785a-9c96-500f21f84edd) add Policy Establish a threat intelligence program (b0e3035d-6366-2e37-796e-8bcab9c649e6) add Policy Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f) add Policy Implement physical security for offices, working areas, and secure areas (05ec66a2-137c-14b8-8e75-3d7a2bef07f8) add Policy Review and reevaluate privileges (585af6e9-90c0-4575-67a7-2f9548972e32) add Policy Assign information security representative to change control (6abdf7c7-362b-3f35-099e-533ed50988f9) add Policy Modify access authorizations upon personnel transfer (979ed3b6-83f9-26bc-4b86-5b05464700bf) add Policy Restrict media use (6122970b-8d4a-7811-0278-4c6c68f61e4f) add Policy Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) add Policy Perform a risk assessment (8c5d3d8d-5cba-0def-257c-5ab9ea9644dc) add Policy Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870) add Policy Assess risk in third party relationships (0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08) add Policy Review and update the events defined in AU-02 (a930f477-9dcb-2113-8aa7-45bb6fc90861) add Policy Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823) add Policy Designate personnel to supervise unauthorized maintenance activities (7a489c62-242c-5db9-74df-c073056d6fa3) add Policy Provide audit review, analysis, and reporting capability (44f8a42d-739f-8030-89a8-4c2d5b3f6af3) add Policy Undergo independent security review (9b55929b-0101-47c0-a16e-d6ac5c7d21f8) add Policy Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98) add Policy Separate user and information system management functionality (8a703eb5-4e53-701b-67e4-05ba2f7930c8) add Policy Configure detection whitelist (2927e340-60e4-43ad-6b5f-7a1468232cc2) add Policy Establish usage restrictions for mobile code technologies (ffdaa742-0d6f-726f-3eac-6e6c34e36c93) add Policy Control use of portable storage devices (36b74844-4a99-4c80-1800-b18a516d1585) add Policy Provide security awareness training for insider threats (9b8b05ec-3d21-215e-5d98-0f7cf0998202) add Policy Run simulation attacks (a8f9c283-9a66-3eb3-9e10-bdba95b85884) add Policy Define access authorizations to support separation of duties (341bc9f1-7489-07d9-4ec6-971573e1546a) add Policy Enforce and audit access restrictions (8cd815bf-97e1-5144-0735-11f6ddb50a59) add Policy Integrate Audit record analysis (85335602-93f5-7730-830b-d43426fd51fa) add Policy Control maintenance and repair activities (b6ad009f-5c24-1dc0-a25e-74b60e4da45f) add Policy Enable network protection (8c255136-994b-9616-79f5-ae87810e0dcf) add Policy Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1) add Policy Incorporate flaw remediation into configuration management (34aac8b2-488a-2b96-7280-5b9b481a317a) add Policy Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517) add Policy Enforce user uniqueness (e336d5f4-4d8f-0059-759c-ae10f63d1747) add Policy Develop and establish a system security plan (b2ea1058-8998-3dd1-84f1-82132ad482fd) add Policy Update POA&M items (cc057769-01d9-95ad-a36f-1e62a7f9540b) add Policy Support personal verification credentials issued by legal authorities (1d39b5d9-0392-8954-8359-575ce1957d1a) add Policy Establish configuration management requirements for developers (8747b573-8294-86a0-8914-49e9b06a5ace) add Policy Install an alarm system (aa0ddd99-43eb-302d-3f8f-42b499182960) add Policy Automate implementation of approved change notifications (c72fc0c8-2df8-7506-30be-6ba1971747e1) add Policy Implement security directives (26d178a4-9261-6f04-a100-47ed85314c6e) add Policy Establish a risk management strategy (d36700f2-2f0d-7c2a-059c-bdadd1d79f70) add Policy Deliver security assessment results (8e49107c-3338-40d1-02aa-d524178a2afe) add Policy Integrate audit review, analysis, and reporting (f741c4e6-41eb-15a4-25a2-61ac7ca232f0) add Policy Manage maintenance personnel (b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d) add Policy Manage the transportation of assets (4ac81669-00e2-9790-8648-71bc11bc91eb) add Policy Establish a privacy program (39eb03c1-97cc-11ab-0960-6209ed2869f7) add Policy Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f) add Policy Prevent split tunneling for remote devices (66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8) add Policy Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e) add Policy Provide periodic role-based security training (9ac8621d-9acd-55bf-9f99-ee4212cc3d85) add Policy Develop SSP that meets criteria (6b957f60-54cd-5752-44d5-ff5a64366c93) add Policy Automate process to highlight unreviewed change proposals (92b49e92-570f-1765-804a-378e6c592e28) add Policy Configure actions for noncompliant devices (b53aa659-513e-032c-52e6-1ce0ba46582f) add Policy Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4) add Policy Provide security training before providing access (2b05dca2-25ec-9335-495c-29155f785082) add Policy Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a) add Policy Create a data inventory (043c1e56-5a16-52f8-6af8-583098ff3e60) add Policy Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0) add Policy Conduct a full text analysis of logged privileged commands (8eea8c14-4d93-63a3-0c82-000343ee5204) add Policy Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe) add Policy Document security strength requirements in acquisition contracts (ebb0ba89-6d8c-84a7-252b-7393881e43de) add Policy Verify identity before distributing authenticators (72889284-15d2-90b2-4b39-a1e9541e1152) add Policy Terminate user session automatically (4502e506-5f35-0df4-684f-b326e3cc7093) add Policy Implement parameters for memorized secret verifiers (3b30aa25-0f19-6c04-5ca4-bd3f880a763d) add Policy Authorize, monitor, and control voip (e4e1f896-8a93-1151-43c7-0ad23b081ee2) add Policy Produce Security Assessment report (70a7a065-a060-85f8-7863-eb7850ed2af9) add Policy Establish authenticator types and processes (921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) add Policy Conduct incident response testing (3545c827-26ee-282d-4629-23952a12008b) add Policy Limit privileges to make changes in production environment (2af551d5-1775-326a-0589-590bfb7e9eb2) add Policy Manage authenticator lifetime and reuse (29363ae1-68cd-01ca-799d-92c9197c8404) add Policy Assess Security Controls (c423e64d-995c-9f67-0403-b540f65ba42a) add Policy Use system clocks for audit records (1ee4c7eb-480a-0007-77ff-4ba370776266) add Policy Implement plans of action and milestones for security program process (d93fe1be-13e4-421d-9c21-3158e2fa2667) add Policy Disseminate security alerts to personnel (9c93ef57-7000-63fb-9b74-88f2e17ca5d2) add Policy Document separation of duties (e6f7b584-877a-0d69-77d4-ab8b923a9650) add Policy Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4) add Policy Eradicate contaminated information (54a9c072-4a93-2a03-6a43-a060d30383d7) add Policy Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838) add Policy Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb) add Policy Establish and document a configuration management plan (526ed90e-890f-69e7-0386-ba5c0f1f784f) add Policy Establish terms and conditions for accessing resources (3c93dba1-84fd-57de-33c7-ef0400a08134) add Policy Prohibit remote activation of collaborative computing devices (678ca228-042d-6d8e-a598-c58d5670437d) add Policy Conduct exit interview upon termination (496b407d-9b9e-81e8-4ba4-44bc686b016a) add Policy Initiate transfer or reassignment actions (b8a9bb2f-7290-3259-85ce-dca7d521302d) add Policy Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d) add Policy Establish procedures for initial authenticator distribution (35963d41-4263-0ef9-98d5-70eb058f9e3c) add Policy Protect wireless access (d42a8f69-a193-6cbc-48b9-04a9e29961f1) add Policy Integrate cloud app security with a siem (9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9) add Policy Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3) add Policy Provide information spillage training (2d4d0e90-32d9-4deb-2166-a00d51ed57c0) add Policy Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1) add Policy Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6) add Policy View and investigate restricted users (98145a9b-428a-7e81-9d14-ebb154a24f93) add Policy Review cloud identity report overview (8aec4343-9153-9641-172c-defb201f56b3) add Policy Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc) add Policy Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea) add Policy Develop information security policies and procedures (af227964-5b8b-22a2-9364-06d2cb9d6d7c) add Policy Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7) add Policy Employ a media sanitization mechanism (eaaae23f-92c9-4460-51cf-913feaea4d52) add Policy Develop and maintain baseline configurations (2f20840e-7925-221c-725d-757442753e7c) add Policy Manage Authenticators (4aacaec9-0628-272c-3e83-0d68446694e0) add Policy Define acceptable and unacceptable mobile code technologies (1afada58-8b34-7ac2-a38a-983218635201) add Policy Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232) add Policy Retain previous versions of baseline configs (5e4e9685-3818-5934-0071-2620c4fa2ca5) add Policy Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1) add Policy Notify upon termination or transfer (c79d378a-2521-822a-0407-57454f8d2c74) add Policy Notify users of system logon or access (fe2dff43-0a8c-95df-0432-cb1c794b17d0) add Policy Correlate audit records (10874318-0bf7-a41f-8463-03e395482080) Version change: '14.0.0' to '15.0.0'
2022-09-13 16:35:24	Description change: 'This initiative includes policies that address a subset of NIST SP 800-171 Rev. 2 requirements. Policies may be added or removed in future releases. For more information, visit https://aka.ms/nist800171r2-initiative.' to 'The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171'
2022-07-07 16:32:14	Version change: '13.0.0' to '14.0.0' remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e) remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16) remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39) remove Policy [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app (991310cd-e9f3-47bc-b7b6-f57b557d07db) remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) remove Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5) remove Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef) remove Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886) remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
2022-06-10 16:31:22	Version change: '12.0.0' to '13.0.0' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-05-26 16:30:17	add Policy Azure Web PubSub Service should use private link (eb907f70-7514-460d-92b3-a5ae93b4f917) add Policy Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234) Version change: '10.0.0' to '12.0.0' remove Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f) remove Policy [Deprecated]: Azure Web PubSub Service should use private link (52630df9-ca7e-442b-853b-c6ce548b31a2) remove Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
2022-05-12 16:30:30	Version change: '9.0.0' to '10.0.0' remove Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
2022-03-18 17:53:48	add Policy App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510) Version change: '8.0.0' to '9.0.0' remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)
2022-01-13 19:18:29	add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8) add Policy Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38) add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2) remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260) remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd) remove Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a) remove Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc) remove Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
2021-12-08 16:24:23	add Policy Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047) add Policy [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data (2e94d99a-8a36-4563-bc77-810d8893b671) add Policy Disk encryption should be enabled on Azure Data Explorer (f4b53539-8df9-40e4-86c6-6b607703bd4e) add Policy Azure Data Factory should use private link (8b0323be-cc25-4b61-935d-002c3798c6ea) add Policy [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) add Policy Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password (86efb160-8de7-451d-bc08-5d475b0aadae) add Policy Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c) add Policy Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d) add Policy Cognitive Services should use private link (cddd188c-4b82-4c48-a19d-ddf74ee66a01) add Policy Guest Configuration extension should be installed on your machines (ae89ebca-1c92-4898-ac2c-9f63decb045c) add Policy Azure File Sync should use private link (1d320205-c6a1-4ac6-873d-46224024e8e2) add Policy Automation account variables should be encrypted (3657f5a0-770e-44a3-b44e-9431ba1e9735) add Policy Vulnerability assessment should be enabled on your Synapse workspaces (0049a6b3-a662-4f3e-8635-39cf44ace45a) add Policy Azure API for FHIR should use private link (1ee56206-5dd1-42ab-b02d-8aae8b1634ce) add Policy Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c) add Policy Azure Cognitive Search services should use private link (0fda3595-9f2b-4592-8675-4231d6fa82fe) add Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a) add Policy Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c) add Policy Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) add Policy Service Bus Premium namespaces should use a customer-managed key for encryption (295fc8b1-dc9f-4f53-9c61-3f313ceab40a) add Policy Non-internet-facing virtual machines should be protected with network security groups (bb91dfba-c30d-4263-9add-9c2384e659a6) add Policy Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042) add Policy An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9) add Policy Cognitive Services accounts should enable data encryption with a customer-managed key (67121cc7-ff39-4ab8-b7e3-95b84dab487d) add Policy IoT Hub device provisioning service instances should use private link (df39c015-56a4-45de-b4a3-efe77bed320d) add Policy PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274) add Policy Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37) add Policy Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) (ea0dfaed-95fb-448c-934e-d6e713ce393d) add Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef) add Policy Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45) add Policy Linux machines should meet requirements for the Azure compute security baseline (fc9b3da7-8347-4380-8e70-0a0361d8dedd) add Policy Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers (24fba194-95d6-48c0-aea7-f65bf859c598) add Policy [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d) add Policy Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign (617c02be-7f02-4efd-8836-3180d47b6c68) add Policy Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) add Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc) add Policy Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a) add Policy Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0) add Policy Authorized IP ranges should be defined on Kubernetes Services (0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) add Policy Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780) add Policy VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa) add Policy Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e) add Policy Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d) add Policy MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833) add Policy Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f) add Policy Logic Apps Integration Service Environment should be encrypted with customer-managed keys (1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5) add Policy Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d) add Policy Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4) add Policy Azure Cache for Redis should use private link (7803067c-7d34-46e3-8c79-0ca68fc4036d) add Policy Storage account encryption scopes should use customer-managed keys to encrypt data at rest (b5ec538c-daa0-4006-8596-35468b9148e8) add Policy Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b) add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c) add Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260) add Policy Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1) add Policy Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71) add Policy Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25) add Policy Azure Stream Analytics jobs should use customer-managed keys to encrypt data (87ba29ef-1ab3-4d82-b763-87fcd4f531f7) add Policy Virtual machines should be migrated to new Azure Resource Manager resources (1d84d5fb-01f6-4d12-ba4f-4a26081d403d) add Policy Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed) add Policy Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes (d9da03a1-f3c3-412a-9709-947156872263) add Policy [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f) add Policy Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) add Policy Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9) add Policy Disk access resources should use private link (f39f5f49-4abf-44de-8c70-0756997bfb51) add Policy Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) add Policy Azure Synapse workspaces should use private link (72d11df1-dd8a-41f7-8925-b05b960ebafc) add Policy Function apps should not have CORS configured to allow every resource to access your apps (0820b7b9-23aa-4725-a1ce-ae4558f718e5) add Policy Azure Container Instance container group should use customer-managed key for encryption (0aa61e00-0a01-4a3c-9945-e93cffedf0e6) add Policy Azure Automation accounts should use customer-managed keys to encrypt data at rest (56a5ee18-2ae6-4810-86f7-18e39ce5629b) add Policy Managed disks should be double encrypted with both platform-managed and customer-managed keys (ca91455f-eace-4f96-be59-e6e2c35b4816) add Policy Double encryption should be enabled on Azure Data Explorer (ec068d99-e9c7-401f-8cef-5bdde4e6ccf1) add Policy Azure HDInsight clusters should use customer-managed keys to encrypt data at rest (64d314f6-6062-4780-a861-c23e8951bee5) add Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd) add Policy Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15) add Policy Azure Data Explorer encryption at rest should use a customer-managed key (81e74cea-30fd-40d5-802f-d72103c2aaaa) add Policy SQL servers on machines should have vulnerability findings resolved (6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) add Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f) add Policy Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca) add Policy Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb) add Policy Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21) add Policy Storage accounts should have infrastructure encryption (4733ea7b-a883-42fe-8cac-97454c2a9e4a) add Policy Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44) add Policy Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa) add Policy Event Hub namespaces should use private link (b8564268-eb4a-4337-89be-a19db070c59d) add Policy Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) add Policy Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) add Policy Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f) add Policy Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490) add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990) add Policy Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb) add Policy App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332) add Policy CosmosDB accounts should use private link (58440f8a-10c5-4151-bdce-dfbaad4a20b7) add Policy Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d) add Policy Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c) add Policy Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17) add Policy Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095) add Policy Azure API for FHIR should use a customer-managed key to encrypt data at rest (051cba44-2429-45b9-9649-46cec11c7119) add Policy Bot Service should be encrypted with a customer-managed key (51522a96-0869-4791-82f3-981000c2c67f) add Policy Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899) add Policy Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys (7d7be79c-23ba-4033-84dd-45e2a5ccdd67) add Policy Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption (fa298e57-9444-42ba-bf04-86e8470e32c7) add Policy Azure Synapse workspaces should use customer-managed keys to encrypt data at rest (f7d52b2d-e161-4dfa-a82b-55e564167385) add Policy Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8) add Policy Azure Cognitive Search services should disable public network access (ee980b6d-0eca-4501-8d54-f6290fd512c3) add Policy Azure data factories should be encrypted with a customer-managed key (4ec52d6d-beb7-40c4-9a9e-fe753254690e) add Policy [Deprecated]: Azure Web PubSub Service should use private link (52630df9-ca7e-442b-853b-c6ce548b31a2) add Policy Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d) add Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414) add Policy Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) add Policy [Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602) add Policy IP Forwarding on your virtual machine should be disabled (bd352bd5-2853-4985-bf0d-73806b4a5744) add Policy App Service Environment should have internal encryption enabled (fb74e86f-d351-4b8d-b034-93da7391c01f) add Policy Management ports should be closed on your virtual machines (22730e10-96f6-4aac-ad84-9383d35b5917) add Policy Virtual machines and virtual machine scale sets should have encryption at host enabled (fc4d8e41-e223-45ea-9bf5-eada37891d87) add Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4) add Policy Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4) add Policy [Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147) add Policy Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) add Policy [Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) add Policy Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164) add Policy Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) add Policy Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80) add Policy Azure Web Application Firewall should be enabled for Azure Front Door entry-points (055aa869-bc98-4af8-bafc-23f1ab6ffe2c) add Policy Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af) add Policy [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) (47031206-ce96-41f8-861b-6a915f3de284) add Policy Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c) add Policy Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b) add Policy Cognitive Services accounts should have local authentication methods disabled (71ef260a-8f18-47b7-abcb-62d0673d94dc) add Policy Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f) add Policy Azure Data Box jobs should enable double encryption for data at rest on the device (c349d81b-9985-44ae-a8da-ff98d108ede8) add Policy Storage accounts should be migrated to new Azure Resource Manager resources (37e0d2fe-28a5-43d6-a273-67d37d1f5606) add Policy Authentication to Linux machines should require SSH keys (630c64f9-8b6b-4c64-b511-6544ceff6fd6) add Policy Audit usage of custom RBAC rules (a451c1ef-c6ca-483d-87ed-f49761e3ffb5) add Policy HPC Cache accounts should use customer-managed key for encryption (970f84d8-71b6-4091-9979-ace7e3fb6dbb) add Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4) add Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886) add Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5) add Policy Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99) add Policy Windows machines should meet requirements of the Azure compute security baseline (72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) add Policy Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe) add Policy Azure HDInsight clusters should use encryption at host to encrypt data at rest (1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6) add Policy Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469) add Policy Azure Monitor Logs clusters should be encrypted with customer-managed key (1f68a601-6e6d-4e42-babf-3f643a047ea2) add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49) add Policy Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40) add Policy Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d) add Policy Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host (41425d9f-d1a5-499a-9932-f8ed8453932c) add Policy Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) add Policy Container registry images should have vulnerability findings resolved (5f0f936f-2f01-4bf5-b6be-d423792fa562) add Policy Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d) add Policy Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca) add Policy [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373) add Policy Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) add Policy Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b) add Policy Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a) add Policy Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430) add Policy Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75) add Policy Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) add Policy App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609) add Policy Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4) add Policy Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a) add Policy Azure Batch account should use customer-managed keys to encrypt data (99e9ccd8-3db9-4592-b0d1-14b1715a4d8a) add Policy Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970) add Policy Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46) add Policy Azure Stack Edge devices should use double-encryption (b4ac1030-89c5-4697-8e00-28b5ba6a8811) add Policy Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499) add Policy Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4) add Policy Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab) add Policy Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0) add Policy Azure Service Bus namespaces should use private link (1c06e275-d63d-4540-b761-71f364c2111d) add Policy Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517) add Policy Event Hub namespaces should use a customer-managed key for encryption (a1ad735a-e96f-45d2-a7b2-9a4932cab7ec) add Policy SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743) add Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) add Policy [Preview]: Certificates should have the specified maximum validity period (0a075868-4c26-42ef-914c-5bc007359560) add Policy Azure Cognitive Search service should use a SKU that supports private link (a049bf77-880b-470f-ba6d-9f21c530cf83) add Policy Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534) add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da) add Policy Cognitive Services accounts should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3) add Policy Infrastructure encryption should be enabled for Azure Database for MySQL servers (3a58212a-c829-4f13-9872-6371df2fd0b4) add Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) add Policy API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b) add Policy Microsoft Antimalware for Azure should be configured to automatically update protection signatures (c43e4a30-77cb-48ab-a4dd-93f175c63b57) add Policy App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) add Policy OS and data disks should be encrypted with a customer-managed key (702dd420-7fcc-42c5-afe8-4026edd20fe0) add Policy App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7) add Policy Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4) remove Policy [Preview]: Log Analytics Extension should be enabled for listed virtual machine images (32133ab0-ee4b-4b44-98d6-042180979d50) remove Policy Audit diagnostic setting (7f89b1eb-583c-429a-8828-af049802c1d9) remove Policy Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images (5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138)
2021-12-02 17:19:01	Description change: 'This initiative includes policies that address a subset of NIST SP 800-171 Rev. 2 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800171r2-initiative.' to 'This initiative includes policies that address a subset of NIST SP 800-171 Rev. 2 requirements. Policies may be added or removed in future releases. For more information, visit https://aka.ms/nist800171r2-initiative.'
2021-11-22 17:13:50	Description change: 'This initiative includes audit and virtual machine extension policies that address a subset of NIST SP 800-171 R2 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800171r2-blueprint.' to 'This initiative includes policies that address a subset of NIST SP 800-171 Rev. 2 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800171r2-initiative.' Name change: 'NIST SP 800-171 R2' to 'NIST SP 800-171 Rev. 2'
2021-11-15 17:00:50	Name change: '[Preview]: NIST SP 800-171 R2' to 'NIST SP 800-171 R2'
2021-01-22 09:14:56	add Policy A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9) remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c) remove Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
2020-09-09 11:24:08	add Policy Audit Windows machines that do not store passwords using reversible encryption (da0f98fe-a24b-4ad5-af69-bd0400233661) add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99) add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112) add Policy Audit Linux machines that do not have the passwd file permissions set to 0644 (e6955644-301c-44b5-a4c4-528577de6861) add Policy Audit Windows machines that allow re-use of the previous 24 passwords (5b054a0d-39e2-4d53-bea3-9734cad2c69b) add Policy Audit Windows machines that do not have the password complexity setting enabled (bf16e0bb-31e1-4646-8202-60a235cc7e74) add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6) add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) add Policy Windows machines should meet requirements for 'Security Options - Network Security' (1221c620-d201-468c-81e7-2817e6107e84) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6) add Policy Audit Windows machines that do not restrict the minimum password length to 14 characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2) add Policy Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e) add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023) remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c) remove Policy [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords (cdbf72d9-ac9c-4026-8a3a-491a5ac59293) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba) remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83) remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters (23020aa6-1135-4be2-bae2-149982b06eca) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords (726671ac-c4de-4908-8c7d-6043ae62e3b6) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption (8ff0b18b-262e-4512-857a-48ad0aeb9a78) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled (f48b2913-1dc5-4834-8c72-ccc1dfd819bb) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members (93507a81-10a4-4af0-9ee2-34cf25a96e98) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 (f19aa1c1-6b91-4c27-ae6a-970279f03db9) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members (f3b44e5d-1456-475f-9c67-c66c4618e85a) remove Policy [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 (b18175dd-c599-4c64-83ba-bb018a06d35b) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled (7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de) remove Policy [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters (5aebc8d1-020d-4037-89a0-02043a7524ec) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe) remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05) remove Policy [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption (2d60d3b7-aa10-454c-88a8-de39d99d17c6)
2020-09-02 14:03:46	remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0) remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6) remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4) remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461)
2020-07-01 14:50:07	remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc) remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278) remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
2020-06-23 16:03:23	remove Policy Security Center standard pricing tier should be selected (a1181c5f-672a-477a-979a-7d58aa086233)
2020-06-11 19:46:04	add Initiative 03055927-78bd-4236-86c0-f36125a10dc9

Policy count

Total Policies: 471
Builtin Policies: 471
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	fc5e4038-4584-4632-8c85-c0448d374b2c	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed	8dfab9c4-fe7b-49ad-85e4-1e9be085358f	Kubernetes	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data	2e94d99a-8a36-4563-bc77-810d8893b671	Backup	Default Audit Allowed Audit, Deny, Disabled	0		Preview
[Preview]: Certificates should have the specified maximum validity period	0a075868-4c26-42ef-914c-5bc007359560	Key Vault	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		Preview
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)	47031206-ce96-41f8-861b-6a915f3de284	Internet of Things	Default Audit Allowed Audit, Deny, Disabled	0		Preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	842c54e8-c2f9-4d79-ae8d-38d8b8019373	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	04c4380f-3fae-46e8-96c9-30193528f602	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	2f2ee1de-44aa-4762-b6bd-0893fc3f306d	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Private endpoint should be configured for Key Vault	5f0bc445-3935-4915-9981-011aa2b46147	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		Preview
[Preview]: Storage account public access should be disallowed	4fa4b6c0-31ca-4c0d-b10d-24b96f62a751	Storage	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		Preview
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines	08e6af2d-db70-460a-bfe9-d5bd474ba9d6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
Adhere to retention periods defined	1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Adopt biometric authentication mechanisms	7d7a8356-5c34-9a95-3118-1424cfaf192a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Allowlist rules in your adaptive application control policy should be updated	123a3936-f020-408a-ba0c-47873faf1534	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
API Management services should use a virtual network	ef619a2c-cc4d-4d03-b2ba-8c94a834d85b	API Management	Default Audit Allowed Audit, Disabled	0		GA
App Configuration should use private link	ca610c1d-041c-4332-9d88-7ed3094967c7	App Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled	5bb220d9-2698-4ee4-8404-b9c30c9df609	App Service	Default Audit Allowed Audit, Disabled	0		GA
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have resource logs enabled	91a78b24-f231-4a8a-8da9-02c35b2b6510	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should not have CORS configured to allow every resource to access your apps	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
App Service apps should require FTPS only	4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should use latest 'HTTP Version'	8c122334-9d20-4eb8-89ea-ac9a705b74ae	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should use managed identity	2b9ad585-36bc-4615-b300-fd4435808332	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should use the latest TLS version	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps that use Java should use the latest 'Java version'	496223c3-ad65-4ecd-878a-bae78737e9ed	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps that use PHP should use the latest 'PHP version'	7261b898-8a84-4db8-9e04-18527132abb3	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps that use Python should use the latest 'Python version'	7008174a-fd10-4ef0-817e-fc820a951d73	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service Environment should have internal encryption enabled	fb74e86f-d351-4b8d-b034-93da7391c01f	App Service	Default Audit Allowed Audit, Disabled	0		GA
Assess risk in third party relationships	0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assess Security Controls	c423e64d-995c-9f67-0403-b540f65ba42a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assign information security representative to change control	6abdf7c7-362b-3f35-099e-533ed50988f9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assign system identifiers	f29b17a4-0df2-8a50-058a-8570f9979d28	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit Linux machines that allow remote connections from accounts without passwords	ea53dbee-c6c9-4f0e-9f9e-de0039b78023	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that do not have the passwd file permissions set to 0644	e6955644-301c-44b5-a4c4-528577de6861	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that have accounts without passwords	f6ec09a3-78bf-4f8f-99dc-6c77182d0f99	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit privileged functions	f26af0b1-65b6-689a-a03f-352ad2d00f98	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit usage of custom RBAC rules	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	Default Audit Allowed Audit, Disabled	0		GA
Audit user account status	49c23d9b-02b0-0e42-4f94-e8cef1b8381b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit Windows machines missing any of specified members in the Administrators group	30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7	Guest Configuration	Fixed auditIfNotExists	0		GA
Audit Windows machines that allow re-use of the previous 24 passwords	5b054a0d-39e2-4d53-bea3-9734cad2c69b	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the password complexity setting enabled	bf16e0bb-31e1-4646-8202-60a235cc7e74	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not restrict the minimum password length to 14 characters	a2d0e922-65d0-40c4-8f87-ea6da2d307a2	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not store passwords using reversible encryption	da0f98fe-a24b-4ad5-af69-bd0400233661	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that have the specified members in the Administrators group	69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f	Guest Configuration	Fixed auditIfNotExists	0		GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Authentication to Linux machines should require SSH keys	630c64f9-8b6b-4c64-b511-6544ceff6fd6	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Authorize access to security functions and information	aeed863a-0f56-429f-945d-8bb66bd06841	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize and manage access	50e9324a-7410-0539-0662-2c1e775538b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize remote access	dad8a2e9-6f27-4fc2-8933-7e99fe700c9c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize remote access to privileged commands	01c387ea-383d-4ca9-295a-977fab516b03	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize, monitor, and control usage of mobile code technologies	291f20d4-8d93-1d73-89f3-6ce28b825563	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize, monitor, and control voip	e4e1f896-8a93-1151-43c7-0ad23b081ee2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorized IP ranges should be defined on Kubernetes Services	0e246bcf-5f6f-4f87-bc6f-775d4712c7ea	Security Center	Default Audit Allowed Audit, Disabled	0		GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription	475aae12-b88a-4572-8b36-9b712b2b3a17	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Automate approval request for proposed changes	575ed5e8-4c29-99d0-0e4d-689fb1d29827	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate implementation of approved change notifications	c72fc0c8-2df8-7506-30be-6ba1971747e1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to document implemented changes	43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to highlight unreviewed change proposals	92b49e92-570f-1765-804a-378e6c592e28	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to prohibit implementation of unapproved changes	7d10debd-4775-85a7-1a41-7e128e0e8c50	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate proposed documented changes	5c40f27b-6791-18c5-3f85-7b863bd99c11	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure API for FHIR should use a customer-managed key to encrypt data at rest	051cba44-2429-45b9-9649-46cec11c7119	API for FHIR	Default Audit Allowed audit, Audit, disabled, Disabled	0		GA
Azure API for FHIR should use private link	1ee56206-5dd1-42ab-b02d-8aae8b1634ce	API for FHIR	Default Audit Allowed Audit, Disabled	0		GA
Azure Automation accounts should use customer-managed keys to encrypt data at rest	56a5ee18-2ae6-4810-86f7-18e39ce5629b	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Backup should be enabled for Virtual Machines	013e242c-8828-4970-87b3-ab247555486d	Backup	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Batch account should use customer-managed keys to encrypt data	99e9ccd8-3db9-4592-b0d1-14b1715a4d8a	Batch	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Cache for Redis should use private link	7803067c-7d34-46e3-8c79-0ca68fc4036d	Cache	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Cognitive Search service should use a SKU that supports private link	a049bf77-880b-470f-ba6d-9f21c530cf83	Search	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Cognitive Search services should disable public network access	ee980b6d-0eca-4501-8d54-f6290fd512c3	Search	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Cognitive Search services should use private link	0fda3595-9f2b-4592-8675-4231d6fa82fe	Search	Default Audit Allowed Audit, Disabled	0		GA
Azure Container Instance container group should use customer-managed key for encryption	0aa61e00-0a01-4a3c-9945-e93cffedf0e6	Container Instance	Default Audit Allowed Audit, Disabled, Deny	0		GA
Azure Cosmos DB accounts should have firewall rules	862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb	Cosmos DB	Default Deny Allowed Audit, Deny, Disabled	0		GA
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest	1f905d99-2ab7-462c-a6b0-f709acca6c8f	Cosmos DB	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Azure Data Box jobs should enable double encryption for data at rest on the device	c349d81b-9985-44ae-a8da-ff98d108ede8	Data Box	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password	86efb160-8de7-451d-bc08-5d475b0aadae	Data Box	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Data Explorer encryption at rest should use a customer-managed key	81e74cea-30fd-40d5-802f-d72103c2aaaa	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure data factories should be encrypted with a customer-managed key	4ec52d6d-beb7-40c4-9a9e-fe753254690e	Data Factory	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Data Factory should use private link	8b0323be-cc25-4b61-935d-002c3798c6ea	Data Factory	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for App Service should be enabled	2913021d-f2fd-4f3d-b958-22354e2bdbcb	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Azure SQL Database servers should be enabled	7fe3b40f-802b-4cdd-8bd4-fd799c948cc2	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for DNS should be enabled	bdc59948-5574-49b3-bb91-76b7c986428d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Key Vault should be enabled	0e6763cc-5078-4e64-889d-ff4d9a839047	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Resource Manager should be enabled	c3d20c29-b36d-48fe-808b-99a87530ad99	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for servers should be enabled	4da35fc9-c9e7-4960-aec9-797fe7d9051d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL servers on machines should be enabled	6581d072-105e-4418-827f-bd446d56421b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Storage should be enabled	308fbb08-4ab8-4e67-9b29-592e93fb94fa	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Event Grid domains should use private link	9830b652-8523-49cc-b1b3-e17dce1127ca	Event Grid	Default Audit Allowed Audit, Disabled	0		GA
Azure Event Grid topics should use private link	4b90e17e-8448-49db-875e-bd83fb6f804f	Event Grid	Default Audit Allowed Audit, Disabled	0		GA
Azure File Sync should use private link	1d320205-c6a1-4ac6-873d-46224024e8e2	Storage	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest	64d314f6-6062-4780-a861-c23e8951bee5	HDInsight	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure HDInsight clusters should use encryption at host to encrypt data at rest	1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6	HDInsight	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes	d9da03a1-f3c3-412a-9709-947156872263	HDInsight	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Key Vault should have firewall enabled	55615ac9-af46-4a59-874e-391cc3dfb490	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Machine Learning workspaces should be encrypted with a customer-managed key	ba769a63-b8cc-4b2d-abf6-ac33c7204be8	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Machine Learning workspaces should use private link	40cec1dd-a100-4920-b15b-3024fe8901ab	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)	ea0dfaed-95fb-448c-934e-d6e713ce393d	Monitoring	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Azure Monitor Logs clusters should be encrypted with customer-managed key	1f68a601-6e6d-4e42-babf-3f643a047ea2	Monitoring	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters	0a15ec92-a229-4763-bb14-0ea34a568f8d	Kubernetes	Default Audit Allowed Audit, Disabled	0		GA
Azure Service Bus namespaces should use private link	1c06e275-d63d-4540-b761-71f364c2111d	Service Bus	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure SignalR Service should use private link	2393d2cf-a342-44cd-a2e2-fe0188fd1234	SignalR	Default Audit Allowed Audit, Disabled	0		GA
Azure Spring Cloud should use network injection	af35e2a4-ef96-44e7-a9ae-853dd97032c4	App Platform	Default Audit Allowed Audit, Disabled, Deny	0		GA
Azure Stack Edge devices should use double-encryption	b4ac1030-89c5-4697-8e00-28b5ba6a8811	Azure Stack Edge	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Azure Stream Analytics jobs should use customer-managed keys to encrypt data	87ba29ef-1ab3-4d82-b763-87fcd4f531f7	Stream Analytics	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest	f7d52b2d-e161-4dfa-a82b-55e564167385	Synapse	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Synapse workspaces should use private link	72d11df1-dd8a-41f7-8925-b05b960ebafc	Synapse	Default Audit Allowed Audit, Disabled	0		GA
Azure Web Application Firewall should be enabled for Azure Front Door entry-points	055aa869-bc98-4af8-bafc-23f1ab6ffe2c	Network	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Web PubSub Service should use private link	eb907f70-7514-460d-92b3-a5ae93b4f917	Web PubSub	Default Audit Allowed Audit, Disabled	0		GA
Block untrusted and unsigned processes that run from USB	3d399cf3-8fc6-0efc-6ab0-1412f1198517	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Bot Service should be encrypted with a customer-managed key	51522a96-0869-4791-82f3-981000c2c67f	Bot Service	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys	7d7be79c-23ba-4033-84dd-45e2a5ccdd67	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	0		GA
Clear personnel with access to classified information	c42f19c9-5d88-92da-0742-371a0ea03126	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Cognitive Services accounts should disable public network access	0725b4dd-7e76-479c-a735-68e7ee23d5ca	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	0		GA
Cognitive Services accounts should enable data encryption with a customer-managed key	67121cc7-ff39-4ab8-b7e3-95b84dab487d	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	0		GA
Cognitive Services accounts should have local authentication methods disabled	71ef260a-8f18-47b7-abcb-62d0673d94dc	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	0		GA
Cognitive Services accounts should restrict network access	037eea7a-bd0a-46c5-9a66-03aea78705d3	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	0		GA
Cognitive Services should use private link	cddd188c-4b82-4c48-a19d-ddf74ee66a01	Cognitive Services	Default Audit Allowed Audit, Disabled	0		GA
Compile Audit records into system wide audit	214ea241-010d-8926-44cc-b90a96d52adc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct a full text analysis of logged privileged commands	8eea8c14-4d93-63a3-0c82-000343ee5204	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct a security impact analysis	203101f5-99a3-1491-1b56-acccd9b66a9e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct exit interview upon termination	496b407d-9b9e-81e8-4ba4-44bc686b016a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct incident response testing	3545c827-26ee-282d-4629-23952a12008b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure actions for noncompliant devices	b53aa659-513e-032c-52e6-1ce0ba46582f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure Azure Audit capabilities	a3e98638-51d4-4e28-910a-60e98c1a756f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure detection whitelist	2927e340-60e4-43ad-6b5f-7a1468232cc2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure workstations to check for digital certificates	26daf649-22d1-97e9-2a8a-01b182194d59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Container registries should be encrypted with a customer-managed key	5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580	Container Registry	Default Audit Allowed Audit, Deny, Disabled	0		GA
Container registries should not allow unrestricted network access	d0793b48-0edc-4296-a390-4c75d1bdfd71	Container Registry	Default Audit Allowed Audit, Deny, Disabled	0		GA
Container registries should use private link	e8eef0a8-67cf-4eb4-9386-14b0e78733d4	Container Registry	Default Audit Allowed Audit, Disabled	0		GA
Container registry images should have vulnerability findings resolved	5f0f936f-2f01-4bf5-b6be-d423792fa562	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Control information flow	59bedbdc-0ba9-39b9-66bb-1d1c192384e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control maintenance and repair activities	b6ad009f-5c24-1dc0-a25e-74b60e4da45f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control physical access	55a7f9a0-6397-7589-05ef-5ed59a8149e7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control use of portable storage devices	36b74844-4a99-4c80-1800-b18a516d1585	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Coordinate contingency plans with related plans	c5784049-959f-6067-420c-f4cefae93076	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Coordinate with external organizations to achieve cross org perspective	d4e6a629-28eb-79a9-000b-88030e4823ca	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Correlate audit records	10874318-0bf7-a41f-8463-03e395482080	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
CosmosDB accounts should use private link	58440f8a-10c5-4151-bdce-dfbaad4a20b7	Cosmos DB	Default Audit Allowed Audit, Disabled	0		GA
Create a data inventory	043c1e56-5a16-52f8-6af8-583098ff3e60	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define a physical key management process	51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define acceptable and unacceptable mobile code technologies	1afada58-8b34-7ac2-a38a-983218635201	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define access authorizations to support separation of duties	341bc9f1-7489-07d9-4ec6-971573e1546a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define cryptographic use	c4ccd607-702b-8ae6-8eeb-fc3339cd4b42	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define information system account types	623b5f0a-8cbd-03a6-4892-201d27302f0c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define mobile device requirements	9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define organizational requirements for cryptographic key management	d661e9eb-4e15-5ba1-6f02-cdc467db0d6c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Deliver security assessment results	8e49107c-3338-40d1-02aa-d524178a2afe	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deprecated accounts should be removed from your subscription	6b1cbf55-e8b6-442f-ba4c-7246b6381474	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deprecated accounts with owner permissions should be removed from your subscription	ebb62a0c-3560-49e1-89ed-27e074e9f8ad	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Design an access control model	03b6427e-6072-4226-4bd9-a410ab65317e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Designate authorized personnel to post publicly accessible information	b4512986-80f5-1656-0c58-08866bd2673a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Designate personnel to supervise unauthorized maintenance activities	7a489c62-242c-5db9-74df-c073056d6fa3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Detect network services that have not been authorized or approved	86ecd378-a3a0-5d5b-207c-05e6aaca43fc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Determine assertion requirements	7a0ecd94-3699-5273-76a5-edb8499f655a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Determine auditable events	2f67e567-03db-9d1f-67dc-b6ffb91312f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop an incident response plan	2b4e134f-1e4c-2bff-573e-082d85479b6e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and establish a system security plan	b2ea1058-8998-3dd1-84f1-82132ad482fd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and maintain a vulnerability management standard	055da733-55c6-9e10-8194-c40731057ec4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and maintain baseline configurations	2f20840e-7925-221c-725d-757442753e7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop information security policies and procedures	af227964-5b8b-22a2-9364-06d2cb9d6d7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop POA&M	477bd136-7dd9-55f8-48ac-bae096b86a07	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop security assessment plan	1c258345-5cd4-30c8-9ef3-5ee4dd5231d6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop security safeguards	423f6d9c-0c73-9cc6-64f4-b52242490368	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop SSP that meets criteria	6b957f60-54cd-5752-44d5-ff5a64366c93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Disable authenticators upon termination	d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Discover any indicators of compromise	07b42fb5-027e-5a3c-4915-9d9ef3020ec7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Disk access resources should use private link	f39f5f49-4abf-44de-8c70-0756997bfb51	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Disk encryption should be enabled on Azure Data Explorer	f4b53539-8df9-40e4-86c6-6b607703bd4e	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA
Disseminate security alerts to personnel	9c93ef57-7000-63fb-9b74-88f2e17ca5d2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document and implement wireless access guidelines	04b3e7f6-4841-888d-4799-cda19a0084f6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document remote access guidelines	3d492600-27ba-62cc-a1c3-66eb919f6a0d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security operations	2c6bee3a-2180-2430-440d-db3c7a849870	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security strength requirements in acquisition contracts	ebb0ba89-6d8c-84a7-252b-7393881e43de	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document separation of duties	e6f7b584-877a-0d69-77d4-ab8b923a9650	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Double encryption should be enabled on Azure Data Explorer	ec068d99-e9c7-401f-8cef-5bdde4e6ccf1	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA
Email notification for high severity alerts should be enabled	6e2593d9-add6-4083-9c9b-4b7d2188c899	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Email notification to subscription owner for high severity alerts should be enabled	0b15565f-aa9e-48ba-8619-45960f2c314d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Employ a media sanitization mechanism	eaaae23f-92c9-4460-51cf-913feaea4d52	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ flow control mechanisms of encrypted information	79365f13-8ba4-1f6c-2ac4-aa39929f56d0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ least privilege access	1bc7fd64-291f-028e-4ed6-6e07886e163f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enable dual or joint authorization	2c843d78-8f64-92b5-6a9b-e8186c0e7eb6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enable network protection	8c255136-994b-9616-79f5-ae87810e0dcf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Endpoint protection solution should be installed on virtual machine scale sets	26a828e1-e88f-464e-bbb3-c134a282b9de	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Enforce a limit of consecutive failed login attempts	b4409bff-2287-8407-05fd-c73175a68302	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce and audit access restrictions	8cd815bf-97e1-5144-0735-11f6ddb50a59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce appropriate usage of all accounts	fd81a1b3-2d7a-107c-507e-29b87d040c19	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce logical access	10c4210b-3ec9-9603-050d-77e4d26c7ebb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce mandatory and discretionary access control policies	b1666a13-8f67-9c47-155e-69e027ff6823	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce random unique session identifiers	c7d57a6a-7cc2-66c0-299f-83bf90558f5d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce security configuration settings	058e9719-1ff9-3653-4230-23f76b6492e0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce SSL connection should be enabled for MySQL database servers	e802a67a-daf5-4436-9ea6-f6d821dd0c5d	SQL	Default Audit Allowed Audit, Disabled	0		GA
Enforce SSL connection should be enabled for PostgreSQL database servers	d158790f-bfb0-486c-8631-2dc6b4e8e6af	SQL	Default Audit Allowed Audit, Disabled	0		GA
Enforce user uniqueness	e336d5f4-4d8f-0059-759c-ae10f63d1747	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure authorized users protect provided authenticators	37dbe3dc-0e9c-24fa-36f2-11197cbfa207	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Eradicate contaminated information	54a9c072-4a93-2a03-6a43-a060d30383d7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a configuration control board	7380631c-5bf5-0e3a-4509-0873becd8a63	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a data leakage management procedure	3c9aa856-6b86-35dc-83f4-bc72cec74dea	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a password policy	d8bbd80e-3bb1-5983-06c2-428526ec6a63	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a privacy program	39eb03c1-97cc-11ab-0960-6209ed2869f7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a risk management strategy	d36700f2-2f0d-7c2a-059c-bdadd1d79f70	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a threat intelligence program	b0e3035d-6366-2e37-796e-8bcab9c649e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish an information security program	84245967-7882-54f6-2d34-85059f725b47	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and document a configuration management plan	526ed90e-890f-69e7-0386-ba5c0f1f784f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and document change control processes	bd4dc286-2f30-5b95-777c-681f3a7913d3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and maintain an asset inventory	27965e62-141f-8cca-426f-d09514ee5216	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish authenticator types and processes	921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish backup policies and procedures	4f23967c-a74b-9a09-9dc2-f566f61a87b9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish configuration management requirements for developers	8747b573-8294-86a0-8914-49e9b06a5ace	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish electronic signature and certificate requirements	6f3866e8-6e12-69cf-788c-809d426094a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish firewall and router configuration standards	398fdbd8-56fd-274d-35c6-fa2d3b2755a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish network segmentation for card holder data environment	f476f3b0-4152-526e-a209-44e5f8c968d7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish procedures for initial authenticator distribution	35963d41-4263-0ef9-98d5-70eb058f9e3c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish requirements for audit review and reporting	b3c8cc83-20d3-3890-8bc8-5568777670f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish security requirements for the manufacturing of connected devices	afbecd30-37ee-a27b-8e09-6ac49951a0ee	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish terms and conditions for accessing resources	3c93dba1-84fd-57de-33c7-ef0400a08134	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish terms and conditions for processing resources	5715bf33-a5bd-1084-4e19-bc3c83ec1c35	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish usage restrictions for mobile code technologies	ffdaa742-0d6f-726f-3eac-6e6c34e36c93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish voip usage restrictions	68a39c2b-0f17-69ee-37a3-aa10f9853a08	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Event Hub namespaces should use a customer-managed key for encryption	a1ad735a-e96f-45d2-a7b2-9a4932cab7ec	Event Hub	Default Audit Allowed Audit, Disabled	0		GA
Event Hub namespaces should use private link	b8564268-eb4a-4337-89be-a19db070c59d	Event Hub	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Execute actions in response to information spills	ba78efc6-795c-64f4-7a02-91effbd34af9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Explicitly notify use of collaborative computing devices	62fa14f0-4cbe-762d-5469-0899a99b98aa	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
External accounts with owner permissions should be removed from your subscription	f8456c1c-aa66-4dfb-861a-25d127b775c9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
External accounts with read permissions should be removed from your subscription	5f76cf89-fbf2-47fd-a3f4-b891fa780b60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
External accounts with write permissions should be removed from your subscription	5c607a2e-c700-4744-8254-d77e7c9eb5e4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should have 'Client Certificates (Incoming client certificates)' enabled	eaebaea7-8013-4ceb-9d14-7eb32271373c	App Service	Default Audit Allowed Audit, Disabled	0		GA
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should not have CORS configured to allow every resource to access your apps	0820b7b9-23aa-4725-a1ce-ae4558f718e5	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Function apps should require FTPS only	399b2637-a50f-4f95-96f8-3a145476eb15	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should use latest 'HTTP Version'	e2c1c086-2d84-4019-bff3-c44ccd95113c	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should use managed identity	0da106f2-4ca3-48e8-bc85-c638fe6aea8f	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should use the latest TLS version	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps that use Java should use the latest 'Java version'	9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps that use Python should use the latest 'Python version'	7238174a-fd10-4ef0-817e-fc820a951d73	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for MariaDB	0ec47710-77ff-4a3d-9181-6aa50af424d0	SQL	Default Audit Allowed Audit, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for MySQL	82339799-d096-41ae-8538-b108becf0970	SQL	Default Audit Allowed Audit, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	48af4db5-9b8b-401c-8e74-076be876a430	SQL	Default Audit Allowed Audit, Disabled	0		GA
Govern and monitor audit processing activities	333b4ada-4a02-0648-3d4d-d812974f1bb2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Govern compliance of cloud service providers	5c33538e-02f8-0a7f-998b-a4c1e22076d3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Guest Configuration extension should be installed on your machines	ae89ebca-1c92-4898-ac2c-9f63decb045c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
HPC Cache accounts should use customer-managed key for encryption	970f84d8-71b6-4091-9979-ace7e3fb6dbb	Storage	Default Audit Allowed Audit, Disabled, Deny	0		GA
Identify and authenticate network devices	ae5345d5-8dab-086a-7290-db43a3272198	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify and manage downstream information exchanges	c7fddb0e-3f44-8635-2b35-dc6b8e740b7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement an automated configuration management tool	33832848-42ab-63f3-1a55-c0ad309d44cd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement an insider threat program	35de8462-03ff-45b3-5746-9d4603c74c56	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement controls to secure all media	e435f7e3-0dd9-58c9-451f-9b44b96c0232	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement controls to secure alternate work sites	cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement incident handling	433de59e-7a53-a766-02c2-f80f8421469a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement parameters for memorized secret verifiers	3b30aa25-0f19-6c04-5ca4-bd3f880a763d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement personnel screening	e0c480bf-0d68-a42d-4cbb-b60f851f8716	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement physical security for offices, working areas, and secure areas	05ec66a2-137c-14b8-8e75-3d7a2bef07f8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement plans of action and milestones for security program process	d93fe1be-13e4-421d-9c21-3158e2fa2667	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement privileged access for executing vulnerability scanning activities	5b802722-71dd-a13d-2e7e-231e09589efb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement security directives	26d178a4-9261-6f04-a100-47ed85314c6e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement security engineering principles of information systems	df2e9507-169b-4114-3a52-877561ee3198	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Incorporate flaw remediation into configuration management	34aac8b2-488a-2b96-7280-5b9b481a317a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Information flow control using security policy filters	13ef3484-3a51-785a-9c96-500f21f84edd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Infrastructure encryption should be enabled for Azure Database for MySQL servers	3a58212a-c829-4f13-9872-6371df2fd0b4	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers	24fba194-95d6-48c0-aea7-f65bf859c598	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Initiate transfer or reassignment actions	b8a9bb2f-7290-3259-85ce-dca7d521302d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Install an alarm system	aa0ddd99-43eb-302d-3f8f-42b499182960	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate Audit record analysis	85335602-93f5-7730-830b-d43426fd51fa	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate audit review, analysis, and reporting	f741c4e6-41eb-15a4-25a2-61ac7ca232f0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate cloud app security with a siem	9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
IoT Hub device provisioning service instances should use private link	df39c015-56a4-45de-b4a3-efe77bed320d	Internet of Things	Default Audit Allowed Audit, Disabled	0		GA
IP Forwarding on your virtual machine should be disabled	bd352bd5-2853-4985-bf0d-73806b4a5744	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Issue public key certificates	97d91b33-7050-237b-3e23-a77d57d84e13	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Key Vault keys should have an expiration date	152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Key Vault secrets should have an expiration date	98728c90-32c7-4049-8429-847dc0f4fe37	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Key vaults should have purge protection enabled	0b60c0b2-2dc2-4e1c-b5c9-abbed971de53	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Key vaults should have soft delete enabled	1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits	e345eecc-fa47-480f-9e88-67dcc122b164	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster containers should not share host process ID or host IPC namespace	47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster containers should only use allowed AppArmor profiles	511f5417-5d12-434d-ab2e-816901e72a5e	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster containers should only use allowed capabilities	c26596ff-4d70-4e6a-9a30-c2506bd2f80c	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster containers should only use allowed images	febd0533-8e55-448f-b837-bd0e06f16469	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster containers should run with a read only root file system	df49d893-a74c-421d-bc95-c663042e5b80	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster pod hostPath volumes should only use allowed host paths	098fc59e-46c7-4d99-9b16-64990e543d75	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster pods and containers should only run with approved user and group IDs	f06ddb64-5fa3-4b77-b166-acb36f7f6042	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster pods should only use approved host network and port range	82985f06-dc18-4a48-bc1c-b9f4f0098cfe	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster services should listen only on allowed ports	233a2a17-77ca-4fb1-9b6b-69223d272a44	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes cluster should not allow privileged containers	95edb821-ddaf-4404-9732-666045e056b4	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes clusters should be accessible only over HTTPS	1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes clusters should not allow container privilege escalation	1c6e92c9-99f0-4e55-9cf2-0c234dc48f99	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version	fb893a29-21bb-418c-a157-e99480ec364c	Security Center	Default Audit Allowed Audit, Disabled	0		GA
Limit privileges to make changes in production environment	2af551d5-1775-326a-0589-590bfb7e9eb2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Linux machines should meet requirements for the Azure compute security baseline	fc9b3da7-8347-4380-8e70-0a0361d8dedd	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring	a4fe33eb-e377-4efb-ab31-0784311bc499	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring	a3a6ea0c-e018-4933-9ef0-5aaa1501449b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Logic Apps Integration Service Environment should be encrypted with customer-managed keys	1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5	Logic Apps	Default Audit Allowed Audit, Deny, Disabled	0		GA
Maintain integrity of audit system	c0559109-6a27-a217-6821-5a6d44f92897	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Maintain list of authorized remote maintenance personnel	4ce91e4e-6dab-3c46-011a-aa14ae1561bf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Maintain records of processing of personal data	92ede480-154e-0e22-4dca-8b46a74a3a51	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage a secure surveillance camera system	f2222056-062d-1060-6dc2-0107a68c34b2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage authenticator lifetime and reuse	29363ae1-68cd-01ca-799d-92c9197c8404	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage Authenticators	4aacaec9-0628-272c-3e83-0d68446694e0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage gateways	63f63e71-6c3f-9add-4c43-64de23e554a7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage maintenance personnel	b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage nonlocal maintenance and diagnostic activities	1fb1cb0e-1936-6f32-42fd-89970b535855	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage symmetric cryptographic keys	9c276cf3-596f-581a-7fbd-f5e46edaa0f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage the transportation of assets	4ac81669-00e2-9790-8648-71bc11bc91eb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Managed disks should be double encrypted with both platform-managed and customer-managed keys	ca91455f-eace-4f96-be59-e6e2c35b4816	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Management ports should be closed on your virtual machines	22730e10-96f6-4aac-ad84-9383d35b5917	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled for accounts with write permissions on your subscription	9297c21d-2ed6-4474-b48f-163f75654ce3	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled on accounts with owner permissions on your subscription	aa633080-8b72-40c4-a2d7-d00c03e80bed	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled on accounts with read permissions on your subscription	e3576e28-8b17-4677-84c3-db2990658d64	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures	c43e4a30-77cb-48ab-a4dd-93f175c63b57	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft Defender for Containers should be enabled	1c988dd6-ade4-430f-a608-2a3e5b0a6d38	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers	9b597639-28e4-48eb-b506-56b05d366257	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Modify access authorizations upon personnel transfer	979ed3b6-83f9-26bc-4b86-5b05464700bf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor access across the organization	48c816c5-2190-61fc-8806-25d6f3df162f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Monitor privileged role assignment	ed87d27a-9abf-7c71-714c-61d881889da4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
MySQL servers should use customer-managed keys to encrypt data at rest	83cef61d-dbd1-4b20-a4fc-5fbc7da10833	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Network Watcher should be enabled	b6e2945c-0b7b-40f5-9233-7a5323b5cdc6	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Non-internet-facing virtual machines should be protected with network security groups	bb91dfba-c30d-4263-9add-9c2384e659a6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Notify upon termination or transfer	c79d378a-2521-822a-0407-57454f8d2c74	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify users of system logon or access	fe2dff43-0a8c-95df-0432-cb1c794b17d0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obscure feedback information during authentication process	1ff03f2a-974b-3272-34f2-f6cd51420b30	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA
OS and data disks should be encrypted with a customer-managed key	702dd420-7fcc-42c5-afe8-4026edd20fe0	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Perform a privacy impact assessment	d18af1ac-0086-4762-6dc8-87cdded90e39	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform a risk assessment	8c5d3d8d-5cba-0def-257c-5ab9ea9644dc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform a trend analysis on threats	50e81644-923d-33fc-6ebb-9733bc8d1a06	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform audit for configuration change control	1282809c-9001-176b-4a81-260a085f4872	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform vulnerability scans	3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest	18adea5e-f416-4d0f-8aa8-d24321e3e274	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Prevent identifier reuse for the defined time period	4781e5fd-76b8-7d34-6df3-a0a7fca47665	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prevent split tunneling for remote devices	66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Private endpoint connections on Azure SQL Database should be enabled	7698e800-9299-47a6-b3b6-5a0fee576eed	SQL	Default Audit Allowed Audit, Disabled	0		GA
Private endpoint should be enabled for MariaDB servers	0a1302fb-a631-4106-9753-f3d494733990	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Private endpoint should be enabled for MySQL servers	7595c971-233d-4bcf-bd18-596129188c49	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Private endpoint should be enabled for PostgreSQL servers	0564d078-92f5-4f97-8398-b9f58a51f70b	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Produce Security Assessment report	70a7a065-a060-85f8-7863-eb7850ed2af9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prohibit remote activation of collaborative computing devices	678ca228-042d-6d8e-a598-c58d5670437d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect against and prevent data theft from departing employees	80a97208-264e-79da-0cc7-4fca179a0c9c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect audit information	0e696f5a-451f-5c15-5532-044136538491	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect data in transit using encryption	b11697e8-9515-16f1-7a35-477d5c8a1344	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect passwords with encryption	b2d3e5a2-97ab-5497-565a-71172a729d93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect special information	a315c657-4a00-8eba-15ac-44692ad24423	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect wireless access	d42a8f69-a193-6cbc-48b9-04a9e29961f1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide audit review, analysis, and reporting capability	44f8a42d-739f-8030-89a8-4c2d5b3f6af3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide capability to process customer-controlled audit records	21633c09-804e-7fcd-78e3-635c6bfe2be7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide information spillage training	2d4d0e90-32d9-4deb-2166-a00d51ed57c0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide periodic role-based security training	9ac8621d-9acd-55bf-9f99-ee4212cc3d85	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide periodic security awareness training	516be556-1353-080d-2c2f-f46f000d5785	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide privacy training	518eafdd-08e5-37a9-795b-15a8d798056d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide real-time alerts for audit event failures	0f4fa857-079d-9d3d-5c49-21f616189e03	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide security awareness training for insider threats	9b8b05ec-3d21-215e-5d98-0f7cf0998202	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide security training before providing access	2b05dca2-25ec-9335-495c-29155f785082	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide security training for new users	1cb7bf71-841c-4741-438a-67c65fdd7194	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Public network access on Azure SQL Database should be disabled	1b8ca024-1d5c-4dec-8995-b1a932b41780	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for MariaDB servers	fdccbe47-f3e3-4213-ad5d-ea459b2fa077	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for MySQL servers	d9844e8a-1437-4aeb-a32c-0c992f056095	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for PostgreSQL servers	b52376f7-9612-48a1-81cd-1ffe4b61032c	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Reauthenticate or terminate a user session	d6653f89-7cb5-24a4-9d71-51581038231b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reevaluate access upon personnel transfer	e89436d8-6a93-3b62-4444-1d2a42ad56b2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Refresh authenticators	3ae68d9a-5696-8c32-62d3-c6f9c52e437c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Remediate information system flaws	be38a620-000b-21cf-3cb3-ea151b704c3b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require approval for account creation	de770ba6-50dd-a316-2932-e0d972eaa734	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require use of individual authenticators	08ad71d0-52be-6503-4908-e015460a16ae	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Resource logs in Azure Data Lake Store should be enabled	057ef27e-665e-4328-8ea3-04b3122bd9fb	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Batch accounts should be enabled	428256e6-1fac-4f48-a757-df34c2b3336d	Batch	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Data Lake Analytics should be enabled	c95c74d9-38fe-4f0d-af86-0c7d626a315c	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Event Hub should be enabled	83a214f7-d01a-484b-91a9-ed54470c9a6a	Event Hub	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in IoT Hub should be enabled	383856f8-de7f-44a2-81fc-e5135b5c2aa4	Internet of Things	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Key Vault should be enabled	cf820ca0-f99e-4f3e-84fb-66e913812d21	Key Vault	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Logic Apps should be enabled	34f95f76-5386-4de7-b824-0d8478470c9d	Logic Apps	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Search services should be enabled	b4330a05-a843-4bc8-bf9a-cacce50c67f4	Search	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Service Bus should be enabled	f8d36e2f-389b-4ee4-898d-21aeb69a0f45	Service Bus	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Virtual Machine Scale Sets should be enabled	7c1b1214-f927-48bf-8882-84f0af6588b1	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Restrict access to private keys	8d140e8b-76c7-77de-1d46-ed1b2e112444	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict access to privileged accounts	873895e8-0e3a-6492-42e9-22cd030e9fcd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict media use	6122970b-8d4a-7811-0278-4c6c68f61e4f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict unauthorized software and firmware installation	4ee5975d-2507-5530-a20a-83a725889c6f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain previous versions of baseline configs	5e4e9685-3818-5934-0071-2620c4fa2ca5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain security policies and procedures	efef28d0-3226-966a-a1e8-70e89c1b30bc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain terminated user data	7c7032fe-9ce6-9092-5890-87a1a3755db1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review account provisioning logs	a830fe9e-08c9-a4fb-420c-6f6bf1702395	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review administrator assignments weekly	f27a298f-9443-014a-0d40-fef12adf0259	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and reevaluate privileges	585af6e9-90c0-4575-67a7-2f9548972e32	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update the events defined in AU-02	a930f477-9dcb-2113-8aa7-45bb6fc90861	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review audit data	6625638f-3ba1-7404-5983-0ea33d719d34	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review changes for any unauthorized changes	c246d146-82b0-301f-32e7-1065dcd248b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review cloud identity report overview	8aec4343-9153-9641-172c-defb201f56b3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review content prior to posting publicly accessible information	9e3c505e-7aeb-2096-3417-b132242731fc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review controlled folder access events	f48b60c6-4b37-332f-7288-b6ea50d300eb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review file and folder activity	ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review malware detections report weekly	4a6f5cbd-6c6b-006f-2bb1-091af1441bce	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review publicly accessible content for nonpublic information	b5244f81-6cab-3188-2412-179162294996	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review role group changes weekly	70fe686f-1f91-7dab-11bf-bca4201e183b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review threat protection status weekly	fad161f5-5261-401a-22dd-e037bae011bd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review user groups and applications with access to sensitive data	eb1c944e-0e94-647b-9b7e-fdb8d2af0838	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Revoke privileged roles as appropriate	32f22cfa-770b-057c-965b-450898425519	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Route traffic through managed network access points	bab9ef1d-a16d-421a-822d-3fa94e808156	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Run simulation attacks	a8f9c283-9a66-3eb3-9e10-bdba95b85884	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption	fa298e57-9444-42ba-bf04-86e8470e32c7	Monitoring	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Separate duties of individuals	60ee1260-97f0-61bb-8155-5d8b75743655	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Separate user and information system management functionality	8a703eb5-4e53-701b-67e4-05ba2f7930c8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Service Bus Premium namespaces should use a customer-managed key for encryption	295fc8b1-dc9f-4f53-9c61-3f313ceab40a	Service Bus	Default Audit Allowed Audit, Disabled	0		GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL servers on machines should have vulnerability findings resolved	6ba6d016-e7c3-4842-b8f2-4992ebc0d72d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher	89099bee-89e0-4b26-a5f4-165451757743	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Storage account encryption scopes should use customer-managed keys to encrypt data at rest	b5ec538c-daa0-4006-8596-35468b9148e8	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should have infrastructure encryption	4733ea7b-a883-42fe-8cac-97454c2a9e4a	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should restrict network access using virtual network rules	2a1a9cdf-e04d-429a-8416-3bfb72a1b26f	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should use customer-managed key for encryption	6fac406b-40ca-413b-bf8e-0bf964659c25	Storage	Default Audit Allowed Audit, Disabled	0		GA
Storage accounts should use private link	6edd7eda-6dd8-40f7-810d-67160c639cd9	Storage	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Subnets should be associated with a Network Security Group	e71308d3-144b-4262-b144-efdc3cc90517	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Subscriptions should have a contact email address for security issues	4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Support personal verification credentials issued by legal authorities	1d39b5d9-0392-8954-8359-575ce1957d1a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
System updates on virtual machine scale sets should be installed	c3f317a7-a95c-4547-b7e7-11017ebdf2fe	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host	41425d9f-d1a5-499a-9932-f8ed8453932c	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	0		GA
Terminate user session automatically	4502e506-5f35-0df4-684f-b326e3cc7093	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets	efbde977-ba53-4479-b8e9-10b957924fbf	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Train personnel on disclosure of nonpublic information	97f0d974-1486-01e2-2088-b888f46c0589	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Turn on sensors for endpoint security solution	5fc24b95-53f7-0ed1-2330-701b539b97fe	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Undergo independent security review	9b55929b-0101-47c0-a16e-d6ac5c7d21f8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update antivirus definitions	ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update information security policies	5226dee6-3420-711b-4709-8e675ebd828f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update POA&M items	cc057769-01d9-95ad-a36f-1e62a7f9540b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use dedicated machines for administrative tasks	b8972f60-8d77-1cb8-686f-9c9f4cdd8a59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use privileged identity management	e714b481-8fac-64a2-14a9-6f079b2501a4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use system clocks for audit records	1ee4c7eb-480a-0007-77ff-4ba370776266	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Verify identity before distributing authenticators	72889284-15d2-90b2-4b39-a1e9541e1152	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
View and configure system diagnostic data	0123edae-3567-a05a-9b05-b53ebe9d3e7e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
View and investigate restricted users	98145a9b-428a-7e81-9d14-ebb154a24f93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Virtual machines and virtual machine scale sets should have encryption at host enabled	fc4d8e41-e223-45ea-9bf5-eada37891d87	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity	d26f7642-7545-4e18-9b75-8c9bbdee3a9a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should be connected to a specified workspace	f47b5582-33ec-4c5c-87c0-b010a6b2e917	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	0961003e-5a0a-4549-abde-af6a37f2724d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should have the Log Analytics extension installed	a70ca396-0a34-413a-88e1-b956c1e683be	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
VM Image Builder templates should use private link	2154edb9-244f-4741-9970-660785bccdaa	VM Image Builder	Default Audit Allowed Audit, Disabled, Deny	0		GA
Vulnerabilities in container security configurations should be remediated	e8cbc669-f12d-49eb-93e7-9273119e9933	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on your Synapse workspaces	0049a6b3-a662-4f3e-8635-39cf44ace45a	Synapse	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Web Application Firewall (WAF) should be enabled for Application Gateway	564feb30-bf6a-4854-b4bb-0d2d2d1e6c66	Network	Default Audit Allowed Audit, Deny, Disabled	0		GA
Windows Defender Exploit Guard should be enabled on your machines	bed48b13-6647-468e-aa2f-1af1d3f4dd40	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows machines should meet requirements for 'Security Options - Network Security'	1221c620-d201-468c-81e7-2817e6107e84	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows machines should meet requirements of the Azure compute security baseline	72650e9f-97bc-4b2a-ab5f-9781a9fcecbc	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows web servers should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

JSON