AzInitiativeAdvertizer

last sync: 2025-Jul-18 17:22:56 UTC

Microsoft cloud security benchmark

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameMicrosoft cloud security benchmark
Id1f3afdf9-d0c9-4c3d-847f-89da613e70a8
Version57.51.0
Details on versioning
Versioning Versions supported for Versioning: 29
57.51.0
57.50.0
57.49.0
57.48.0
57.47.0
57.46.0
57.45.0
57.44.0
57.43.0
57.42.0
57.41.0
57.40.0
57.39.0
57.38.0
57.37.0
57.36.0
57.35.0
57.34.0
57.33.0
57.32.0
57.31.0
57.30.0
57.29.0
57.28.1
57.27.0
57.26.0
57.25.0
57.24.0
57.23.1
Built-in Versioning [Preview]
CategorySecurity Center
Microsoft Learn
DescriptionThe Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = true
Available in AzUSGovThe PolicySet is available in AzureUSGovernment cloud. Version: '47.35.0'
Repository: Azure-Policy 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 225
Builtin Policies: 225
Static Policies: 0
Deprecated: 1
GA: 206
Preview: 18
38 categories:
API Management: 10
App Configuration: 1
App Platform: 1
App Service: 15
Automation: 1
Azure Ai Services: 4
Azure Databricks: 5
Azure Update Manager: 1
Backup: 1
Batch: 1
Cache: 2
Cognitive Services: 2
Compute: 2
Container Registry: 3
Cosmos DB: 5
Data Lake: 2
Event Grid: 2
Event Hub: 1
General: 1
Guest Configuration: 7
Internet of Things: 1
Key Vault: 9
Kubernetes: 21
Logic Apps: 1
Machine Learning: 7
Monitoring: 4
Network: 5
Search: 1
Security Center: 54
Service Bus: 1
Service Fabric: 2
SignalR: 1
SQL: 35
Stack HCI: 4
Storage: 8
Stream Analytics: 1
Synapse: 2
VM Image Builder: 1
Policy-used
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
[Deprecated]: Cognitive Services should use private link cddd188c-4b82-4c48-a19d-ddf74ee66a01 Cognitive Services 3.0.1 (3.0.1-deprecated) 2x
3.0.1, 3.0.0		 Default
Audit
Allowed
Audit, Disabled		 0 Deprecated true
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall fc5e4038-4584-4632-8c85-c0448d374b2c Network 3.0.0-preview 1x
3.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview unknown
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed 8dfab9c4-fe7b-49ad-85e4-1e9be085358f Kubernetes 6.0.0-preview 1x
6.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled fa498b91-8a7e-4710-9578-da944c68d1fe SQL 1.0.0-preview 1x
1.0.0-preview		 Default
Audit
Allowed
Audit, Disabled		 0 Preview true
[Preview]: Azure Stack HCI servers should have consistently enforced application control policies dad3a6b9-4451-492f-a95c-69efc6f3fada Stack HCI 1.0.0-preview 1x
1.0.0-preview		 Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists		 0 Preview unknown
[Preview]: Azure Stack HCI servers should meet Secured-core requirements 5e6bf724-0154-49bc-985f-27b2e07e636b Stack HCI 1.0.0-preview 1x
1.0.0-preview		 Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists		 0 Preview unknown
[Preview]: Azure Stack HCI systems should have encrypted volumes ee8ca833-1583-4d24-837e-96c2af9488a4 Stack HCI 1.0.0-preview 1x
1.0.0-preview		 Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists		 0 Preview unknown
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff Security Center 6.0.0-preview 1x
6.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets a21f8c92-9e22-4f09-b759-50500d1d2dda Security Center 5.1.0-preview 1x
5.1.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 1cb4d9c2-f88f-4069-bee0-dba239a57b09 Security Center 4.0.0-preview 1x
4.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets f655e522-adff-494d-95c2-52d4f6d56a42 Security Center 3.1.0-preview 1x
3.1.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Host and VM networking should be protected on Azure Stack HCI systems 36f0d6bc-a253-4df8-b25b-c3a5023ff443 Stack HCI 1.0.0-preview 1x
1.0.0-preview		 Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists		 0 Preview unknown
[Preview]: Linux virtual machines should use only signed and trusted boot components 13a6c84f-49a5-410a-b5df-5b880c3fe009 Security Center 1.0.0-preview 1x
1.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview unknown
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 842c54e8-c2f9-4d79-ae8d-38d8b8019373 Monitoring 1.0.1-preview 1x
1.0.1-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview unknown
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e Monitoring 1.0.1-preview 1x
1.0.1-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview unknown
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines 04c4380f-3fae-46e8-96c9-30193528f602 Monitoring 1.0.2-preview 1x
1.0.2-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines 2f2ee1de-44aa-4762-b6bd-0893fc3f306d Monitoring 1.0.2-preview 1x
1.0.2-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 Preview true
[Preview]: Secure Boot should be enabled on supported Windows virtual machines 97566dd7-78ae-4997-8b36-1c7bfe0d8121 Security Center 4.0.0-preview 1x
4.0.0-preview		 Default
Audit
Allowed
Audit, Disabled		 0 Preview true
[Preview]: vTPM should be enabled on supported virtual machines 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 Security Center 2.0.0-preview 1x
2.0.0-preview		 Default
Audit
Allowed
Audit, Disabled		 0 Preview true
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
A Microsoft Entra administrator should be provisioned for MySQL servers 146412e9-005c-472b-9e48-c87b72ac229e SQL 1.1.1 2x
1.1.1, 1.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
A Microsoft Entra administrator should be provisioned for PostgreSQL servers b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 SQL 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
API endpoints in Azure API Management should be authenticated 8ac833bd-f505-48d5-887e-c993a1d3eea0 Security Center 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
API endpoints that are unused should be disabled and removed from the Azure API Management service c8acafaf-3d23-44d1-9624-978ef0f8652c Security Center 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
API Management APIs should use only encrypted protocols ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management 2.0.2 1x
2.0.2		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
API Management calls to API backends should be authenticated c15dcc82-b93c-4dcb-9332-fbf121685b54 API Management 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
API Management calls to API backends should not bypass certificate thumbprint or name validation 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
API Management direct management endpoint should not be enabled b741306c-968e-4b67-b916-5675e5c709f4 API Management 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
API Management minimum API version should be set to 2019-12-01 or higher 549814b6-3212-4203-bdc8-1548d342fb67 API Management 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
API Management secret named values should be stored in Azure Key Vault f1cc7827-022c-473e-836e-5a51cae0b249 API Management 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
API Management services should use a virtual network ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
API Management should disable public network access to the service configuration endpoints df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
API Management subscriptions should not be scoped to all APIs 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
App Configuration should use private link ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should have Client Certificates (Incoming client certificates) enabled 19dd1db6-f442-49cf-a838-b0786b4401ef App Service 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should have remote debugging turned off cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should have resource logs enabled 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service 2.0.1 1x
2.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should not have CORS configured to allow every resource to access your apps 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service 4.0.0 1x
4.0.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA true
App Service apps should require FTPS only 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should use managed identity 2b9ad585-36bc-4615-b300-fd4435808332 App Service 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service 2.1.0 2x
2.1.0, 2.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Audit usage of custom RBAC roles a451c1ef-c6ca-483d-87ed-f49761e3ffb5 General 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Authentication to Linux machines should require SSH keys 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Guest Configuration 3.2.0 2x
3.2.0, 3.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Authorized IP ranges should be defined on Kubernetes Services 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Security Center 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Automation account variables should be encrypted 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services 2.2.0 2x
2.2.0, 2.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure AI Services resources should have key access disabled (disable local authentication) 71ef260a-8f18-47b7-abcb-62d0673d94dc Azure Ai Services 1.1.0 2x
1.1.0, 1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure AI Services resources should restrict network access 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure Ai Services 3.2.0 3x
3.2.0, 3.1.0, 3.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure AI Services resources should use Azure Private Link d6759c02-b87f-42b7-892e-71b3f471d782 Azure Ai Services 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure API Management platform version should be stv2 1dc2fc00-2245-4143-99f4-874c937f13ef API Management 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed 6b2122c1-8120-4ff5-801b-17625a355590 Kubernetes 1.1.0 1x
1.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Backup should be enabled for Virtual Machines 013e242c-8828-4970-87b3-ab247555486d Backup 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Cache for Redis should use private link 7803067c-7d34-46e3-8c79-0ca68fc4036d Cache 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Cosmos DB accounts should have firewall rules 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Cosmos DB 2.1.0 2x
2.1.0, 2.0.0		 Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 1f905d99-2ab7-462c-a6b0-f709acca6c8f Cosmos DB 1.1.0 1x
1.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Azure Cosmos DB should disable public network access 797b37f7-06b8-444c-b1ad-fc62867f335a Cosmos DB 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Databricks Clusters should disable public IP 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Databricks Workspaces should be in a virtual network 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Databricks Workspaces should disable public network access 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Databricks Workspaces should use private link 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure DDoS Protection should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center 3.0.1 2x
3.0.1, 3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for App Service should be enabled 2913021d-f2fd-4f3d-b958-22354e2bdbcb Security Center 1.0.3 1x
1.0.3		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Azure Defender for Azure SQL Database servers should be enabled 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Security Center 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for Key Vault should be enabled 0e6763cc-5078-4e64-889d-ff4d9a839047 Security Center 1.0.3 1x
1.0.3		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Azure Defender for open-source relational databases should be enabled 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Azure Defender for Resource Manager should be enabled c3d20c29-b36d-48fe-808b-99a87530ad99 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for servers should be enabled 4da35fc9-c9e7-4960-aec9-797fe7d9051d Security Center 1.0.3 1x
1.0.3		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for SQL servers on machines should be enabled 6581d072-105e-4418-827f-bd446d56421b Security Center 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Azure Defender for SQL should be enabled for unprotected Azure SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL 2.0.1 1x
2.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers 3bc8a0d5-38e0-4a3d-a657-2cb64468fc34 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers d38668f5-d155-42c7-ab3d-9b57b50f8fbf Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure Event Grid domains should use private link 9830b652-8523-49cc-b1b3-e17dce1127ca Event Grid 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure Event Grid topics should use private link 4b90e17e-8448-49db-875e-bd83fb6f804f Event Grid 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure Key Vault should have firewall enabled or public network access disabled 55615ac9-af46-4a59-874e-391cc3dfb490 Key Vault 3.3.0 2x
3.3.0, 3.2.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Key Vault should use RBAC permission model 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 Key Vault 1.0.1 2x
1.0.1, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
Azure Key Vaults should use private link a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Key Vault 1.2.1 1x
1.2.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Kubernetes Service clusters should have Defender profile enabled a1840de2-8088-4ea8-b153-b4c723e9cb01 Kubernetes 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure Machine Learning compute instances should be recreated to get the latest software updates f110a506-2dcb-422e-bcea-d533fc8c35e2 Machine Learning 1.0.3 1x
1.0.3		 Fixed
[parameters('effects')]		 0 GA true
Azure Machine Learning Computes should be in a virtual network 7804b5c7-01dc-4723-969b-ae300cc07ff1 Machine Learning 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure Machine Learning Computes should have local authentication methods disabled e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Machine Learning 2.1.0 2x
2.1.0, 2.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Machine Learning workspaces should be encrypted with a customer-managed key ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Machine Learning 1.1.0 2x
1.1.0, 1.0.3		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Machine Learning Workspaces should disable public network access 438c38d2-3772-465a-a9cc-7a6666a275ce Machine Learning 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Machine Learning workspaces should use private link 45e05259-1eb5-4f70-9574-baf73e9d219b Machine Learning 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled 40e85574-ef33-47e8-a854-7a65c7500560 SQL 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters 0a15ec92-a229-4763-bb14-0ea34a568f8d Kubernetes 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) 090c7b07-b4ed-4561-ad20-e9075f3ccaff Security Center 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Security Center 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Azure SignalR Service should use private link 2393d2cf-a342-44cd-a2e2-fe0188fd1234 SignalR 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Azure Spring Cloud should use network injection af35e2a4-ef96-44e7-a9ae-853dd97032c4 App Platform 1.2.0 1x
1.2.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
Azure SQL Database should be running TLS version 1.2 or newer 32e6bbec-16b6-44c2-be37-c5b672d103cf SQL 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA true
Azure SQL Database should have Microsoft Entra-only authentication enabled b3a22bc9-66de-45fb-98fa-00f5df42f41a SQL 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation abda6d70-9778-44e7-84a8-06713e6db027 SQL 1.2.0 2x
1.2.0, 1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled 0c28c3fb-c244-42d5-a9bf-f35f2999577b SQL 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure SQL Managed Instances should disable public network access 9dfea752-dd46-4766-aed1-c355fa93fb91 SQL 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation 78215662-041e-49ed-a9dd-5385911b3a1f SQL 1.2.0 2x
1.2.0, 1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Blocked accounts with owner permissions on Azure resources should be removed 0cfea604-3201-4e14-88fc-fae4c427a6c5 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Blocked accounts with read and write permissions on Azure resources should be removed 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Certificates should have the specified maximum validity period 0a075868-4c26-42ef-914c-5bc007359560 Key Vault 2.2.1 2x
2.2.1, 2.2.0-preview		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Container registries should be encrypted with a customer-managed key 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container Registry 1.1.2 1x
1.1.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Container registries should not allow unrestricted network access d0793b48-0edc-4296-a390-4c75d1bdfd71 Container Registry 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Container registries should use private link e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container Registry 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Cosmos DB database accounts should have local authentication methods disabled 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
CosmosDB accounts should use private link 58440f8a-10c5-4151-bdce-dfbaad4a20b7 Cosmos DB 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Diagnostic logs in Azure AI services resources should be enabled 1b4d1c4e-934c-4703-944c-27c82c06bebb Azure Ai Services 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center 1.2.0 3x
1.2.0, 1.1.0, 1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center 2.1.0 2x
2.1.0, 2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Enforce SSL connection should be enabled for MySQL database servers e802a67a-daf5-4436-9ea6-f6d821dd0c5d SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Enforce SSL connection should be enabled for PostgreSQL database servers d158790f-bfb0-486c-8631-2dc6b4e8e6af SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Function apps should have Client Certificates (Incoming client certificates) enabled ab6a902f-9493-453b-928d-62c30b11b5a6 App Service 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Function apps should have remote debugging turned off 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Function apps should not have CORS configured to allow every resource to access your apps 0820b7b9-23aa-4725-a1ce-ae4558f718e5 App Service 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Function apps should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service 5.0.0 1x
5.0.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA true
Function apps should require FTPS only 399b2637-a50f-4f95-96f8-3a145476eb15 App Service 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Function apps should use managed identity 0da106f2-4ca3-48e8-bc85-c638fe6aea8f App Service 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service 2.1.0 2x
2.1.0, 2.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Geo-redundant backup should be enabled for Azure Database for MariaDB 0ec47710-77ff-4a3d-9181-6aa50af424d0 SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Geo-redundant backup should be enabled for Azure Database for MySQL 82339799-d096-41ae-8538-b108becf0970 SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Geo-redundant backup should be enabled for Azure Database for PostgreSQL 48af4db5-9b8b-401c-8e74-076be876a430 SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Guest accounts with owner permissions on Azure resources should be removed 339353f6-2387-4a45-abe4-7f529d121046 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Guest accounts with read permissions on Azure resources should be removed e9ac8f8e-ce22-4355-8f04-99b911d6be52 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Guest accounts with write permissions on Azure resources should be removed 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Guest Configuration extension should be installed on your machines ae89ebca-1c92-4898-ac2c-9f63decb045c Security Center 1.0.3 1x
1.0.3		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
IP Forwarding on your virtual machine should be disabled bd352bd5-2853-4985-bf0d-73806b4a5744 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Key Vault keys should have an expiration date 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Key Vault secrets should have an expiration date 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault 1.0.2 1x
1.0.2		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Key vaults should have deletion protection enabled 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key Vault 2.1.0 1x
2.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Key vaults should have soft delete enabled 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key Vault 3.0.0 1x
3.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes 9.3.0 3x
9.3.0, 9.2.0, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should not share host process ID or host IPC namespace 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes 5.2.0 2x
5.2.0, 5.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed AppArmor profiles 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes 6.2.0 2x
6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes 6.2.0 2x
6.2.0, 6.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed images febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes 9.3.0 4x
9.3.0, 9.2.0, 9.1.1, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should run with a read only root file system df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes 6.3.0 3x
6.3.0, 6.2.0, 6.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pod hostPath volumes should only use allowed host paths 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes 6.2.0 2x
6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes 6.2.0 2x
6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes 6.2.0 2x
6.2.0, 6.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster services should listen only on allowed ports 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes 8.2.0 2x
8.2.0, 8.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster should not allow privileged containers 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes 9.2.0 2x
9.2.0, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes 8.2.0 2x
8.2.0, 8.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should disable automounting API credentials 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes 4.2.0 2x
4.2.0, 4.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes 7.2.0 2x
7.2.0, 7.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes 5.1.0 1x
5.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should not use the default namespace 9f061a12-e40d-4183-a00e-171812443373 Kubernetes 4.2.0 2x
4.2.0, 4.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Linux machines should meet requirements for the Azure compute security baseline fc9b3da7-8347-4380-8e70-0a0361d8dedd Guest Configuration 2.2.0 2x
2.2.0, 2.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. ca88aadc-6e2b-416c-9de2-5a0f01d1693f Guest Configuration 1.2.1 3x
1.2.1, 1.2.0-preview, 1.1.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Machines should be configured to periodically check for missing system updates bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Azure Update Manager 3.8.0 5x
3.8.0, 3.7.0, 3.6.0, 3.5.0, 3.4.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Machines should have secret findings resolved 3ac7c827-eea2-4bde-acc7-9568cd320efa Security Center 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Management ports should be closed on your virtual machines 22730e10-96f6-4aac-ad84-9383d35b5917 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Microsoft Defender CSPM should be enabled 1f90fc71-a595-4066-8974-d4d0802e8ef0 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Microsoft Defender for APIs should be enabled 7926a6d1-b268-4586-8197-e8ae90c877d7 Security Center 1.0.3 1x
1.0.3		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Microsoft Defender for Containers should be enabled 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces d31e5c31-63b2-4f12-887b-e49456834fa1 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers 938c4981-c2c9-4168-9cd6-972b8675f906 Security Center 1.1.0 2x
1.1.0, 1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA unknown
Microsoft Defender for Storage should be enabled 640d2586-54d2-465f-877f-9ffc1d2109f4 Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
MySQL servers should use customer-managed keys to encrypt data at rest 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 SQL 1.0.4 1x
1.0.4		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Non-internet-facing virtual machines should be protected with network security groups bb91dfba-c30d-4263-9add-9c2384e659a6 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb Cache 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
PostgreSQL servers should use customer-managed keys to encrypt data at rest 18adea5e-f416-4d0f-8aa8-d24321e3e274 SQL 1.0.4 1x
1.0.4		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Private endpoint connections on Azure SQL Database should be enabled 7698e800-9299-47a6-b3b6-5a0fee576eed SQL 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Private endpoint should be enabled for MariaDB servers 0a1302fb-a631-4106-9753-f3d494733990 SQL 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Private endpoint should be enabled for MySQL servers 7595c971-233d-4bcf-bd18-596129188c49 SQL 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Private endpoint should be enabled for PostgreSQL servers 0564d078-92f5-4f97-8398-b9f58a51f70b SQL 1.0.2 1x
1.0.2		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Public network access should be disabled for MariaDB servers fdccbe47-f3e3-4213-ad5d-ea459b2fa077 SQL 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
Public network access should be disabled for MySQL servers d9844e8a-1437-4aeb-a32c-0c992f056095 SQL 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
Public network access should be disabled for PostgreSQL servers b52376f7-9612-48a1-81cd-1ffe4b61032c SQL 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Resource logs in Azure Data Lake Store should be enabled 057ef27e-665e-4328-8ea3-04b3122bd9fb Data Lake 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Azure Databricks Workspaces should be enabled 138ff14d-b687-4faa-a81c-898c91a87fa2 Azure Databricks 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Azure Kubernetes Service should be enabled 245fc9df-fa96-4414-9a0b-3738c2f7341c Kubernetes 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Azure Machine Learning Workspaces should be enabled afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Machine Learning 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Azure Stream Analytics should be enabled f9be5368-9bf5-4b84-9e0a-7850da98bb46 Stream Analytics 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Batch accounts should be enabled 428256e6-1fac-4f48-a757-df34c2b3336d Batch 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Data Lake Analytics should be enabled c95c74d9-38fe-4f0d-af86-0c7d626a315c Data Lake 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Event Hub should be enabled 83a214f7-d01a-484b-91a9-ed54470c9a6a Event Hub 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in IoT Hub should be enabled 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Internet of Things 3.1.0 1x
3.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Resource logs in Key Vault should be enabled cf820ca0-f99e-4f3e-84fb-66e913812d21 Key Vault 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Logic Apps should be enabled 34f95f76-5386-4de7-b824-0d8478470c9d Logic Apps 5.1.0 1x
5.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Search services should be enabled b4330a05-a843-4bc8-bf9a-cacce50c67f4 Search 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Resource logs in Service Bus should be enabled f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Service Bus 5.0.0 1x
5.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Role-Based Access Control (RBAC) should be used on Kubernetes Services ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Security Center 1.1.0 3x
1.1.0, 1.0.4, 1.0.3		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 617c02be-7f02-4efd-8836-3180d47b6c68 Service Fabric 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Service Fabric clusters should only use Azure Active Directory for client authentication b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center 4.1.0 1x
4.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
SQL managed instances should use customer-managed keys to encrypt data at rest ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
SQL servers on machines should have vulnerability findings resolved 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
SQL servers should use customer-managed keys to encrypt data at rest 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 89099bee-89e0-4b26-a5f4-165451757743 SQL 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan c6283572-73bb-4deb-bf2c-7a2b8f7462cb Security Center 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Storage account public access should be disallowed 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage 3.1.1 2x
3.1.1, 3.1.0-preview		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA unknown
Storage accounts should be migrated to new Azure Resource Manager resources 37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Storage accounts should prevent shared key access 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 Storage 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage 1.1.1 1x
1.1.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Storage accounts should restrict network access using virtual network rules 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f Storage 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Storage accounts should use customer-managed key for encryption 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage 1.0.3 1x
1.0.3		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Storage accounts should use private link 6edd7eda-6dd8-40f7-810d-67160c639cd9 Storage 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Subnets should be associated with a Network Security Group e71308d3-144b-4262-b144-efdc3cc90517 Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Synapse Workspaces should have Microsoft Entra-only authentication enabled 6ea81a52-5ca7-4575-9669-eaa910b7edf8 Synapse 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse 1.2.0 2x
1.2.0, 1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
System updates should be installed on your machines (powered by Update Center) f85bf3e0-d513-442e-89c3-1784ad63382b Security Center 1.0.1 2x
1.0.1, 1.0.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Virtual machines and virtual machine scale sets should have encryption at host enabled fc4d8e41-e223-45ea-9bf5-eada37891d87 Compute 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity d26f7642-7545-4e18-9b75-8c9bbdee3a9a Security Center 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Virtual machines should be migrated to new Azure Resource Manager resources 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Compute 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
VM Image Builder templates should use private link 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder 1.1.0 1x
1.1.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA unknown
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users 21a6bc25-125e-4d13-b82d-2e19b7208ab7 Network 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL 1.0.1 1x
1.0.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL 3.0.0 1x
3.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Windows Defender Exploit Guard should be enabled on your machines bed48b13-6647-468e-aa2f-1af1d3f4dd40 Guest Configuration 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Windows machines should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration 4.1.1 1x
4.1.1		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Windows machines should meet requirements of the Azure compute security baseline 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Guest Configuration 2.0.0 1x
2.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. 3dc5edcd-002d-444c-b216-e123bbfa37c0 Guest Configuration 1.1.1 2x
1.1.1, 1.1.0-preview		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2025-05-21 17:56:14 Version change: '57.50.0' to '57.51.0'
2025-04-24 19:52:16 add Policy Azure Key Vault should use RBAC permission model (12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5)
Version change: '57.49.0' to '57.50.0'
2025-03-12 18:29:00 Version change: '57.48.0' to '57.49.0'
remove Policy [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)
2025-01-28 19:35:17 add Policy Function apps should have Client Certificates (Incoming client certificates) enabled (ab6a902f-9493-453b-928d-62c30b11b5a6)
Version change: '57.45.0' to '57.48.0'
remove Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
remove Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
remove Policy [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c)
remove Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
2024-10-15 17:53:51 Version change: '57.44.0' to '57.45.0'
remove Policy [Deprecated]: System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe)
remove Policy [Deprecated]: System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
2024-09-05 17:48:45 Version change: '57.43.0' to '57.44.0'
remove Policy [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
remove Policy [Deprecated]: Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534)
remove Policy [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6)
remove Policy [Deprecated]: Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933)
remove Policy [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17)
remove Policy [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
2024-08-29 17:47:54 Version change: '57.42.0' to '57.43.0'
remove Policy [Deprecated]: Endpoint protection should be installed on your machines (1f7c564c-0a90-4d44-b7e1-9d456cffaee8)
remove Policy [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
remove Policy [Deprecated]: Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2)
remove Policy [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de)
2024-08-08 18:19:51 add Policy Diagnostic logs in Azure AI services resources should be enabled (1b4d1c4e-934c-4703-944c-27c82c06bebb)
add Policy Azure AI Services resources should use Azure Private Link (d6759c02-b87f-42b7-892e-71b3f471d782)
Version change: '57.41.0' to '57.42.0'
2024-08-01 18:19:47 add Policy Azure Defender for SQL should be enabled for unprotected MySQL flexible servers (3bc8a0d5-38e0-4a3d-a657-2cb64468fc34)
Version change: '57.40.0' to '57.41.0'
2024-07-11 18:19:05 Version change: '57.39.0' to '57.40.0'
remove Policy [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc (1e7fed80-8321-4605-b42c-65fc300f23a3)
remove Policy [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b)
remove Policy [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499)
remove Policy [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc (4078e558-bda6-41fb-9b3c-361e8875200d)
2024-06-06 18:16:34 add Policy [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled (fa498b91-8a7e-4710-9578-da944c68d1fe)
Version change: '57.37.0' to '57.39.0'
remove Policy [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
2024-04-17 17:45:34 Version change: '57.36.0' to '57.37.0'
2024-04-11 17:47:35 Version change: '57.35.0' to '57.36.0'
remove Policy [Deprecated]: Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca)
2024-03-27 18:49:34 Version change: '57.34.0' to '57.35.0'
2024-03-20 18:47:00 Version change: '57.33.0' to '57.34.0'
remove Policy [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) (0fc39691-5a3f-4e3e-94ee-2e6447309ad9)
remove Policy [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) (5f0f936f-2f01-4bf5-b6be-d423792fa562)
2024-03-06 19:15:55 add Policy [Preview]: Host and VM networking should be protected on Azure Stack HCI systems (36f0d6bc-a253-4df8-b25b-c3a5023ff443)
add Policy [Preview]: Azure Stack HCI servers should have consistently enforced application control policies (dad3a6b9-4451-492f-a95c-69efc6f3fada)
add Policy [Preview]: Azure Stack HCI systems should have encrypted volumes (ee8ca833-1583-4d24-837e-96c2af9488a4)
add Policy [Preview]: Azure Stack HCI servers should meet Secured-core requirements (5e6bf724-0154-49bc-985f-27b2e07e636b)
Version change: '57.32.0' to '57.33.0'
remove Policy [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies (7384fde3-11b0-4047-acbd-b3cf3cc8ce07)
remove Policy [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems (aee306e7-80b0-46f3-814c-d3d3083ed034)
remove Policy [Deprecated]: Azure Stack HCI systems should have encrypted volumes (ae95f12a-b6fd-42e0-805c-6b94b86c9830)
remove Policy [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements (56c47221-b8b7-446e-9ab7-c7c9dc07f0ad)
2024-02-15 20:37:47 add Policy Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers (d38668f5-d155-42c7-ab3d-9b57b50f8fbf)
Version change: '57.31.0' to '57.32.0'
2024-02-05 19:34:05 add Policy Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces (d31e5c31-63b2-4f12-887b-e49456834fa1)
Version change: '57.30.0' to '57.31.0'
2024-01-29 19:36:15 add Policy [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements (56c47221-b8b7-446e-9ab7-c7c9dc07f0ad)
add Policy Azure SQL Database should have Microsoft Entra-only authentication enabled (b3a22bc9-66de-45fb-98fa-00f5df42f41a)
add Policy [Deprecated]: Azure Stack HCI systems should have encrypted volumes (ae95f12a-b6fd-42e0-805c-6b94b86c9830)
add Policy [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems (aee306e7-80b0-46f3-814c-d3d3083ed034)
add Policy [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies (7384fde3-11b0-4047-acbd-b3cf3cc8ce07)
add Policy Synapse Workspaces should have Microsoft Entra-only authentication enabled (6ea81a52-5ca7-4575-9669-eaa910b7edf8)
add Policy Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled (0c28c3fb-c244-42d5-a9bf-f35f2999577b)
Version change: '57.28.1' to '57.30.0'
2024-01-17 19:06:27 add Policy SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan (c6283572-73bb-4deb-bf2c-7a2b8f7462cb)
Version change: '57.27.0' to '57.28.1'
remove Policy [Deprecated]: Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d)
2023-12-12 19:47:53 add Policy Azure API Management platform version should be stv2 (1dc2fc00-2245-4143-99f4-874c937f13ef)
add Policy App Service apps should have Client Certificates (Incoming client certificates) enabled (19dd1db6-f442-49cf-a838-b0786b4401ef)
Version change: '57.25.0' to '57.27.0'
remove Policy [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609)
2023-12-07 18:54:02 Version change: '57.24.0' to '57.25.0'
remove Policy [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
2023-11-16 20:21:34 Version change: '57.23.2' to '57.24.0'
2023-11-09 19:39:25 Version change: '57.23.1' to '57.23.2'
2023-09-21 17:57:51 Version change: '57.23.0' to '57.23.1'
2023-08-31 17:59:16 add Policy Virtual machines and virtual machine scale sets should have encryption at host enabled (fc4d8e41-e223-45ea-9bf5-eada37891d87)
add Policy CosmosDB accounts should use private link (58440f8a-10c5-4151-bdce-dfbaad4a20b7)
add Policy Azure SQL Database should be running TLS version 1.2 or newer (32e6bbec-16b6-44c2-be37-c5b672d103cf)
add Policy VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users (21a6bc25-125e-4d13-b82d-2e19b7208ab7)
add Policy Azure AI Services resources should have key access disabled (disable local authentication) (71ef260a-8f18-47b7-abcb-62d0673d94dc)
add Policy Azure Cosmos DB should disable public network access (797b37f7-06b8-444c-b1ad-fc62867f335a)
add Policy [Deprecated]: Cognitive Services should use private link (cddd188c-4b82-4c48-a19d-ddf74ee66a01)
add Policy Storage accounts should prevent shared key access (8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54)
add Policy Azure SQL Managed Instances should disable public network access (9dfea752-dd46-4766-aed1-c355fa93fb91)
Version change: '57.22.0' to '57.23.0'
2023-08-17 17:57:06 add Policy Microsoft Defender for Storage should be enabled (640d2586-54d2-465f-877f-9ffc1d2109f4)
Version change: '57.20.0' to '57.22.0'
2023-08-09 17:56:06 add Policy API endpoints that are unused should be disabled and removed from the Azure API Management service (c8acafaf-3d23-44d1-9624-978ef0f8652c)
add Policy API endpoints in Azure API Management should be authenticated (8ac833bd-f505-48d5-887e-c993a1d3eea0)
Version change: '57.19.0' to '57.20.0'
2023-06-29 17:48:40 add Policy Machines should have secret findings resolved (3ac7c827-eea2-4bde-acc7-9568cd320efa)
Version change: '57.18.0' to '57.19.0'
2023-06-21 17:48:55 add Policy Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) (17f4b1cc-c55c-4d94-b1f9-2978f6ac2957)
Version change: '57.16.0' to '57.18.0'
2023-06-14 17:46:13 add Policy [Preview]: Linux virtual machines should use only signed and trusted boot components (13a6c84f-49a5-410a-b5df-5b880c3fe009)
Version change: '57.14.0' to '57.16.0'
remove Policy [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images (13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759)
2023-05-25 17:42:57 add Policy Resource logs in Azure Machine Learning Workspaces should be enabled (afe0c3be-ba3b-4544-ba52-0c99672a8ad6)
add Policy Azure Databricks Clusters should disable public IP (51c1490f-3319-459c-bbbc-7f391bbed753)
add Policy Azure Machine Learning Computes should have local authentication methods disabled (e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f)
add Policy Azure Machine Learning Computes should be in a virtual network (7804b5c7-01dc-4723-969b-ae300cc07ff1)
add Policy Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce)
add Policy Azure Machine Learning compute instances should be recreated to get the latest software updates (f110a506-2dcb-422e-bcea-d533fc8c35e2)
add Policy Azure Databricks Workspaces should disable public network access (0e7849de-b939-4c50-ab48-fc6b0f5eeba2)
add Policy Resource logs in Azure Databricks Workspaces should be enabled (138ff14d-b687-4faa-a81c-898c91a87fa2)
add Policy Azure Databricks Workspaces should use private link (258823f2-4595-4b52-b333-cc96192710d8)
add Policy Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) (090c7b07-b4ed-4561-ad20-e9075f3ccaff)
add Policy Azure Databricks Workspaces should be in a virtual network (9c25c9e4-ee12-4882-afd2-11fb9d87893f)
Version change: '57.12.0' to '57.14.0'
2023-05-18 17:45:27 Version change: '57.11.1' to '57.12.0'
remove Policy [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled (e27a6dfc-883f-4f9e-97cc-a819fe702400)
2023-05-10 17:45:01 Version change: '57.11.0' to '57.11.1'
2023-05-08 17:43:54 Name change: 'Azure Security Benchmark' to 'Microsoft cloud security benchmark'
Description change: 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.' to 'The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.'
2023-05-04 17:45:12 add Policy [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled (e27a6dfc-883f-4f9e-97cc-a819fe702400)
add Policy Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled (40e85574-ef33-47e8-a854-7a65c7500560)
Version change: '57.7.0' to '57.11.0'
remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
remove Policy App Service apps that use PHP should use a specified 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
remove Policy Function apps that use Java should use a specified 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3)
remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9)
remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474)
remove Policy App Service apps that use Python should use a specified 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
remove Policy App Service apps that use Java should use a specified 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
remove Policy [Deprecated]: External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60)
remove Policy Function apps that use Python should use a specified 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
2023-04-20 17:41:20 add Policy API Management calls to API backends should not bypass certificate thumbprint or name validation (92bb331d-ac71-416a-8c91-02f2cb734ce4)
add Policy API Management direct management endpoint should not be enabled (b741306c-968e-4b67-b916-5675e5c709f4)
add Policy API Management minimum API version should be set to 2019-12-01 or higher (549814b6-3212-4203-bdc8-1548d342fb67)
add Policy API Management subscriptions should not be scoped to all APIs (3aa03346-d8c5-4994-a5bc-7652c2a2aef1)
add Policy API Management secret named values should be stored in Azure Key Vault (f1cc7827-022c-473e-836e-5a51cae0b249)
add Policy API Management calls to API backends should be authenticated (c15dcc82-b93c-4dcb-9332-fbf121685b54)
add Policy API Management APIs should use only encrypted protocols (ee7495e7-3ba7-40b6-bfee-c29e22cc75d4)
add Policy Microsoft Defender for APIs should be enabled (7926a6d1-b268-4586-8197-e8ae90c877d7)
add Policy API Management should disable public network access to the service configuration endpoints (df73bd95-24da-4a4f-96b9-4e8b94b402bd)
Version change: '57.5.0' to '57.7.0'
2023-04-06 17:42:17 Version change: '57.4.0' to '57.5.0'
2023-03-23 18:43:19 add Policy Azure Machine Learning workspaces should use private link (45e05259-1eb5-4f70-9574-baf73e9d219b)
Version change: '57.3.1' to '57.4.0'
remove Policy [Deprecated]: Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab)
2023-03-16 18:42:41 add Policy A Microsoft Entra administrator should be provisioned for MySQL servers (146412e9-005c-472b-9e48-c87b72ac229e)
add Policy Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation (78215662-041e-49ed-a9dd-5385911b3a1f)
add Policy Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation (2158ddbe-fefa-408e-b43f-d4faef8ff3b8)
add Policy A Microsoft Entra administrator should be provisioned for PostgreSQL servers (b4dec045-250a-48c2-b5cc-e0c4eec8b5b4)
Version change: '57.2.0' to '57.3.1'
2023-03-08 18:42:28 add Policy Azure SQL Database should have Microsoft Entra-only authentication enabled during creation (abda6d70-9778-44e7-84a8-06713e6db027)
Version change: '57.1.0' to '57.2.0'
2023-02-21 18:41:21 add Policy Azure Key Vaults should use private link (a6abeaec-4d90-4a02-805f-6b26c4d3fbe9)
Version change: '57.0.0' to '57.1.0'
remove Policy [Deprecated]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147)
remove Policy [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1)
2022-12-21 17:43:48 add Policy Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. (3dc5edcd-002d-444c-b216-e123bbfa37c0)
add Policy Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. (ca88aadc-6e2b-416c-9de2-5a0f01d1693f)
add Policy Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers (938c4981-c2c9-4168-9cd6-972b8675f906)
Version change: '55.0.0' to '57.0.0'
2022-11-11 17:43:56 add Policy Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0)
Version change: '54.1.1' to '55.0.0'
2022-09-27 16:35:21 Version change: '54.1.0' to '54.1.1'
2022-09-09 16:35:25 add Policy System updates should be installed on your machines (powered by Update Center) (f85bf3e0-d513-442e-89c3-1784ad63382b)
add Policy Machines should be configured to periodically check for missing system updates (bd876905-5b84-4f73-ab2d-2e7a7c4568d9)
Version change: '54.0.0' to '54.1.0'
2022-09-01 16:38:24 add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5)
add Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be)
add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
add Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046)
add Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
Version change: '53.0.0' to '54.0.0'
2022-08-31 16:35:07 Description change: 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.'
2022-08-18 16:32:47 Version change: '52.0.0' to '53.0.0'
remove Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
remove Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046)
remove Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be)
remove Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5)
remove Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
remove Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
remove Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
remove Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
2022-08-12 16:33:44 add Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
add Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5)
add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
add Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be)
add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046)
Version change: '51.0.0' to '52.0.0'
2022-07-07 16:32:14 Version change: '50.3.0' to '51.0.0'
remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)
remove Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef)
remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac)
remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
remove Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
remove Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886)
2022-06-30 16:33:05 Version change: '50.2.0' to '50.3.0'
2022-06-23 16:36:57 Version change: '50.1.0' to '50.2.0'
2022-06-16 16:34:43 Version change: '50.0.0' to '50.1.0'
2022-06-10 16:31:22 Version change: '49.0.0' to '50.0.0'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-05-26 16:30:17 add Policy Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234)
Version change: '48.2.0' to '49.0.0'
remove Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f)
2022-05-12 16:30:30 Version change: '47.0.0' to '48.2.0'
remove Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
2022-04-22 19:50:54 add Policy Azure Cache for Redis should use private link (7803067c-7d34-46e3-8c79-0ca68fc4036d)
Version change: '46.2.0' to '47.0.0'
remove Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
2022-04-01 20:29:13 add Policy Cosmos DB database accounts should have local authentication methods disabled (5450f5bd-9c72-4390-a9c4-a7aba4edfdd2)
Version change: '45.2.0' to '46.2.0'
2022-03-18 17:53:48 Version change: '45.0.0' to '45.2.0'
2022-01-20 18:36:46 add Policy Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed (6b2122c1-8120-4ff5-801b-17625a355590)
2022-01-13 19:18:29 remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)
remove Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc)
2021-12-08 16:24:23 add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2)
add Policy [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) (0fc39691-5a3f-4e3e-94ee-2e6447309ad9)
add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
add Policy Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38)
remove Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
remove Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a)
remove Policy [Deprecated]: Sensitive data in your SQL databases should be classified (cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349)
remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd)
2021-11-15 17:00:50 add Policy [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc (1e7fed80-8321-4605-b42c-65fc300f23a3)
add Policy App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510)
add Policy [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc (4078e558-bda6-41fb-9b3c-361e8875200d)
remove Policy [Deprecated]: Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65)
2021-10-14 16:31:34 add Policy Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835)
2021-09-30 16:01:51 add Policy [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images (13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759)
2021-09-23 15:53:12 add Policy Resource logs in Azure Kubernetes Service should be enabled (245fc9df-fa96-4414-9a0b-3738c2f7341c)
2021-09-03 15:41:53 add Policy [Deprecated]: Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2)
add Policy [Deprecated]: Endpoint protection should be installed on your machines (1f7c564c-0a90-4d44-b7e1-9d456cffaee8)
2021-08-27 15:09:16 add Policy Azure Kubernetes Service clusters should have Defender profile enabled (a1840de2-8088-4ea8-b153-b4c723e9cb01)
2021-05-18 14:34:49 add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets (a21f8c92-9e22-4f09-b759-50500d1d2dda)
add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines (672fe5a1-2fcd-42d7-b85d-902b6e28c6ff)
add Policy Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities (d2e7ea85-6b44-4317-a0be-1b951587f626)
add Policy [Preview]: vTPM should be enabled on supported virtual machines (1c30f9cd-b84c-49cc-aa2c-9288447cc3b3)
add Policy [Preview]: Secure Boot should be enabled on supported Windows virtual machines (97566dd7-78ae-4997-8b36-1c7bfe0d8121)
add Policy Kubernetes clusters should disable automounting API credentials (423dd1ba-798e-40e4-9c4d-b6902674b423)
add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines (1cb4d9c2-f88f-4069-bee0-dba239a57b09)
add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets (f655e522-adff-494d-95c2-52d4f6d56a42)
add Policy Kubernetes clusters should not use the default namespace (9f061a12-e40d-4183-a00e-171812443373)
2021-05-04 14:34:05 remove Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3)
remove Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c)
2021-04-21 13:28:48 remove Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4)
remove Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7)
2021-04-13 13:29:23 add Policy Linux machines should meet requirements for the Azure compute security baseline (fc9b3da7-8347-4380-8e70-0a0361d8dedd)
add Policy Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99)
add Policy Windows machines should meet requirements of the Azure compute security baseline (72650e9f-97bc-4b2a-ab5f-9781a9fcecbc)
add Policy [Deprecated]: Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d)
2021-03-24 14:32:49 add Policy [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f)
2021-02-23 16:24:42 add Policy Windows machines should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
add Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4)
add Policy Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d)
add Policy Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780)
add Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7)
add Policy Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed)
add Policy Azure AI Services resources should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3)
add Policy API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b)
add Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886)
add Policy Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
add Policy Authentication to Linux machines should require SSH keys (630c64f9-8b6b-4c64-b511-6544ceff6fd6)
add Policy [Deprecated]: Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca)
add Policy Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb)
2021-02-09 14:46:37 Name change: 'Enable Monitoring in Azure Security Center' to 'Azure Security Benchmark'
Description change: 'Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'
2021-01-22 09:14:56 remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2021-01-05 16:06:49 add Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f)
add Policy Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8)
add Policy Key vaults should have deletion protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
add Policy Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) (67121cc7-ff39-4ab8-b7e3-95b84dab487d)
add Policy [Deprecated]: Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab)
add Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
add Policy Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d)
add Policy Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077)
add Policy App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7)
add Policy VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa)
add Policy PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274)
add Policy [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17)
add Policy [Deprecated]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147)
add Policy Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095)
add Policy Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f)
add Policy Azure Key Vault should have firewall enabled or public network access disabled (55615ac9-af46-4a59-874e-391cc3dfb490)
add Policy Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66)
add Policy Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
add Policy [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c)
add Policy Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca)
add Policy Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4)
add Policy Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f)
add Policy Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580)
add Policy Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899)
add Policy Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71)
add Policy Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4)
add Policy SQL servers on machines should have vulnerability findings resolved (6ba6d016-e7c3-4842-b8f2-4992ebc0d72d)
add Policy Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d)
add Policy Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25)
add Policy Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c)
add Policy Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f)
add Policy MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833)
add Policy Azure Web Application Firewall should be enabled for Azure Front Door entry-points (055aa869-bc98-4af8-bafc-23f1ab6ffe2c)
add Policy Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9)
2020-12-11 15:42:52 add Policy Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37)
add Policy Guest Configuration extension should be installed on your machines (ae89ebca-1c92-4898-ac2c-9f63decb045c)
add Policy Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0)
add Policy Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a)
remove Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
2020-10-27 14:12:47 add Policy Function apps that use Python should use a specified 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
add Policy Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af)
add Policy Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0)
add Policy Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d)
add Policy App Service apps that use Java should use a specified 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
add Policy Function apps that use Java should use a specified 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
add Policy Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430)
add Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b)
add Policy Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970)
add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49)
add Policy [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609)
add Policy App Service apps that use PHP should use a specified 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
add Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990)
add Policy App Service apps that use Python should use a specified 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
2020-10-13 13:23:38 add Policy Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d)
2020-09-15 14:06:41 add Policy [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499)
add Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3)
add Policy [Deprecated]: Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65)
add Policy [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b)
add Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
remove Policy [Deprecated]: Pod Security Policies should be defined on Kubernetes Services (3abeb944-26af-43ee-b83d-32aaf060fb94)
2020-08-28 14:17:28 add Policy Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751)
2020-08-20 14:04:33 add Policy [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) (5f0f936f-2f01-4bf5-b6be-d423792fa562)
add Policy Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e)
add Policy Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8)
add Policy Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80)
add Policy Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c)
add Policy Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe)
add Policy Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75)
add Policy Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99)
remove Policy SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
2020-08-07 14:05:08 add Policy Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44)
add Policy Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4)
add Policy Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d)
add Policy Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164)
add Policy Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469)
add Policy Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042)
add Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc)
2020-06-23 16:03:23 add Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a)
add Policy Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2)
add Policy Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047)
add Policy Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb)
add Policy Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d)
add Policy Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b)
add Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
add Policy [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc)
remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)
remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8)
2020-06-11 19:46:04 add Policy Non-internet-facing virtual machines should be protected with network security groups (bb91dfba-c30d-4263-9add-9c2384e659a6)
remove Policy Authorization rules on the Event Hub instance should be defined (f4826e5f-6a27-407c-ae3e-9582eb39891d)
remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace (b278e460-7cfc-4451-8294-cccc40a940d7)
remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace (a1817ec0-a368-432a-8057-8371e17ac6ee)
2020-05-29 15:39:26 add Policy Certificates should have the specified maximum validity period (0a075868-4c26-42ef-914c-5bc007359560)
add Policy [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e)
add Policy [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373)
add Policy [Deprecated]: Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534)
2020-04-22 04:43:14 add Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
add Policy Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c)
2020-03-10 16:29:48 Name change: '[Preview]: Enable Monitoring in Azure Security Center' to 'Enable Monitoring in Azure Security Center'
2020-02-20 08:25:18 remove Policy [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM (201ea587-7c90-41c3-910f-c280ae01cfd6)
remove Policy [Deprecated]: Access to App Services should be restricted (1a833ff1-d297-4a0f-9944-888428f8e0ff)
2019-12-04 08:49:52 remove Policy [Deprecated]: Metric alert rules should be configured on Batch accounts (26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7)
2019-11-27 16:13:13 add Policy [Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602)
add Policy [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d)
2019-10-29 23:53:40 add Policy App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b)
add Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
add Policy Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15)
add Policy Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f)
add Policy Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193)
add Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef)
add Policy App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332)
add Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
add Policy App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b)
JSON compare
compare mode: version left: version right:
JSON
api-version=2023-04-01
EPAC