AzInitiativeAdvertizer

last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

Azure Security Benchmark

Name

Azure Security Benchmark
Azure Portal

1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Version

55.0.0
details on versioning

Category

Security Center
Microsoft docs

Description

The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.

Type

BuiltIn

Deprecated

False

Preview

False

History

Date/Time (UTC ymd) (i)	Changes
2022-11-11 17:43:56	add Policy Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0) Version change: '54.1.1' to '55.0.0'
2022-09-27 16:35:21	Version change: '54.1.0' to '54.1.1'
2022-09-09 16:35:25	add Policy [Preview]: Machines should be configured to periodically check for missing system updates (bd876905-5b84-4f73-ab2d-2e7a7c4568d9) add Policy [Preview]: System updates should be installed on your machines (powered by Update Center) (f85bf3e0-d513-442e-89c3-1784ad63382b) Version change: '54.0.0' to '54.1.0'
2022-09-01 16:38:24	add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52) add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) Version change: '53.0.0' to '54.0.0'
2022-08-31 16:35:07	Description change: 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.'
2022-08-18 16:32:47	Version change: '52.0.0' to '53.0.0' remove Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) remove Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) remove Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) remove Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) remove Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) remove Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) remove Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) remove Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
2022-08-12 16:33:44	add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52) add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) Version change: '51.0.0' to '52.0.0'
2022-07-07 16:32:14	Version change: '50.3.0' to '51.0.0' remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16) remove Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef) remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e) remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) remove Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886) remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39) remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) remove Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
2022-06-30 16:33:05	Version change: '50.2.0' to '50.3.0'
2022-06-23 16:36:57	Version change: '50.1.0' to '50.2.0'
2022-06-16 16:34:43	Version change: '50.0.0' to '50.1.0'
2022-06-10 16:31:22	Version change: '49.0.0' to '50.0.0' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-05-26 16:30:17	add Policy Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234) Version change: '48.2.0' to '49.0.0' remove Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f)
2022-05-12 16:30:30	Version change: '47.0.0' to '48.2.0' remove Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
2022-04-22 19:50:54	add Policy Azure Cache for Redis should use private link (7803067c-7d34-46e3-8c79-0ca68fc4036d) Version change: '46.2.0' to '47.0.0' remove Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
2022-04-01 20:29:13	add Policy Cosmos DB database accounts should have local authentication methods disabled (5450f5bd-9c72-4390-a9c4-a7aba4edfdd2) Version change: '45.2.0' to '46.2.0'
2022-03-18 17:53:48	Version change: '45.0.0' to '45.2.0'
2022-01-20 18:36:46	add Policy [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed (6b2122c1-8120-4ff5-801b-17625a355590)
2022-01-13 19:18:29	remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) remove Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc)
2021-12-08 16:24:23	add Policy Running container images should have vulnerability findings resolved (0fc39691-5a3f-4e3e-94ee-2e6447309ad9) add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8) add Policy Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38) add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2) remove Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a) remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd) remove Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4) remove Policy [Deprecated]: Sensitive data in your SQL databases should be classified (cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349) remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
2021-11-15 17:00:50	add Policy Linux machines should have Log Analytics agent installed on Azure Arc (1e7fed80-8321-4605-b42c-65fc300f23a3) add Policy Windows machines should have Log Analytics agent installed on Azure Arc (4078e558-bda6-41fb-9b3c-361e8875200d) add Policy App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510) remove Policy [Deprecated]: Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65)
2021-10-14 16:31:34	add Policy Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835)
2021-09-30 16:01:51	add Policy [Preview]: Kubernetes clusters should gate deployment of vulnerable images (13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759)
2021-09-23 15:53:12	add Policy Resource logs in Azure Kubernetes Service should be enabled (245fc9df-fa96-4414-9a0b-3738c2f7341c)
2021-09-03 15:41:53	add Policy Endpoint protection should be installed on your machines (1f7c564c-0a90-4d44-b7e1-9d456cffaee8) add Policy Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2)
2021-08-27 15:09:16	add Policy Azure Kubernetes Service clusters should have Defender profile enabled (a1840de2-8088-4ea8-b153-b4c723e9cb01)
2021-05-18 14:34:49	add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines (672fe5a1-2fcd-42d7-b85d-902b6e28c6ff) add Policy Kubernetes clusters should not use the default namespace (9f061a12-e40d-4183-a00e-171812443373) add Policy Kubernetes clusters should disable automounting API credentials (423dd1ba-798e-40e4-9c4d-b6902674b423) add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines (1cb4d9c2-f88f-4069-bee0-dba239a57b09) add Policy [Preview]: Secure Boot should be enabled on supported Windows virtual machines (97566dd7-78ae-4997-8b36-1c7bfe0d8121) add Policy [Preview]: vTPM should be enabled on supported virtual machines (1c30f9cd-b84c-49cc-aa2c-9288447cc3b3) add Policy Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities (d2e7ea85-6b44-4317-a0be-1b951587f626) add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets (f655e522-adff-494d-95c2-52d4f6d56a42) add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets (a21f8c92-9e22-4f09-b759-50500d1d2dda)
2021-05-04 14:34:05	remove Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c) remove Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3)
2021-04-21 13:28:48	remove Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7) remove Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4)
2021-04-13 13:29:23	add Policy Windows machines should meet requirements of the Azure compute security baseline (72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) add Policy Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99) add Policy Linux machines should meet requirements for the Azure compute security baseline (fc9b3da7-8347-4380-8e70-0a0361d8dedd) add Policy Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d)
2021-03-24 14:32:49	add Policy [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f)
2021-02-23 16:24:42	add Policy Cognitive Services accounts should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3) add Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886) add Policy API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b) add Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7) add Policy Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6) add Policy Authentication to Linux machines should require SSH keys (630c64f9-8b6b-4c64-b511-6544ceff6fd6) add Policy Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed) add Policy Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) add Policy Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) add Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4) add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112) add Policy Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780) add Policy Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca)
2021-02-09 14:46:37	Name change: 'Enable Monitoring in Azure Security Center' to 'Azure Security Benchmark' Description change: 'Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'
2021-01-22 09:14:56	remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2021-01-05 16:06:49	add Policy Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca) add Policy MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833) add Policy Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) add Policy Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) add Policy Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095) add Policy Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d) add Policy Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9) add Policy Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17) add Policy SQL servers on machines should have vulnerability findings resolved (6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) add Policy [Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147) add Policy Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c) add Policy Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c) add Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4) add Policy Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) add Policy App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7) add Policy Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71) add Policy PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274) add Policy Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) add Policy Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) add Policy Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) add Policy Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f) add Policy VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa) add Policy Cognitive Services accounts should enable data encryption with a customer-managed key (67121cc7-ff39-4ab8-b7e3-95b84dab487d) add Policy Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) add Policy [Deprecated]: Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f) add Policy Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab) add Policy Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4) add Policy Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899) add Policy Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25) add Policy Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f) add Policy Azure Web Application Firewall should be enabled for Azure Front Door entry-points (055aa869-bc98-4af8-bafc-23f1ab6ffe2c) add Policy Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490) add Policy Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8) add Policy Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4)
2020-12-11 15:42:52	add Policy Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a) add Policy Guest Configuration extension should be installed on your machines (ae89ebca-1c92-4898-ac2c-9f63decb045c) add Policy Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) add Policy Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37) remove Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
2020-10-27 14:12:47	add Policy App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73) add Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16) add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) add Policy Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73) add Policy Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0) add Policy Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d) add Policy Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) add Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39) add Policy Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430) add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990) add Policy App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609) add Policy Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af) add Policy Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970) add Policy App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed) add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b) add Policy App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3) add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49)
2020-10-13 13:23:38	add Policy Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d)
2020-09-15 14:06:41	add Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3) add Policy [Deprecated]: Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65) add Policy Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499) add Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414) add Policy Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b) remove Policy [Deprecated]: Pod Security Policies should be defined on Kubernetes Services (3abeb944-26af-43ee-b83d-32aaf060fb94)
2020-08-28 14:17:28	add Policy [Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751)
2020-08-20 14:04:33	add Policy Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80) add Policy Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e) add Policy Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75) add Policy Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) add Policy Container registry images should have vulnerability findings resolved (5f0f936f-2f01-4bf5-b6be-d423792fa562) add Policy Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) add Policy Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe) add Policy Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c) remove Policy SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
2020-08-07 14:05:08	add Policy Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042) add Policy Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164) add Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc) add Policy Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d) add Policy Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469) add Policy Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44) add Policy Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4)
2020-06-23 16:03:23	add Policy Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa) add Policy Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047) add Policy Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d) add Policy Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) add Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4) add Policy Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b) add Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a) add Policy Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb) remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc) remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff) remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278) remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966) remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8) remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
2020-06-11 19:46:04	add Policy Non-internet-facing virtual machines should be protected with network security groups (bb91dfba-c30d-4263-9add-9c2384e659a6) remove Policy Authorization rules on the Event Hub instance should be defined (f4826e5f-6a27-407c-ae3e-9582eb39891d) remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace (b278e460-7cfc-4451-8294-cccc40a940d7) remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace (a1817ec0-a368-432a-8057-8371e17ac6ee)
2020-05-29 15:39:26	add Policy Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534) add Policy [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373) add Policy [Preview]: Certificates should have the specified maximum validity period (0a075868-4c26-42ef-914c-5bc007359560) add Policy [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e)
2020-04-22 04:43:14	add Policy Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40) add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c) add Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
2020-03-10 16:29:48	Name change: '[Preview]: Enable Monitoring in Azure Security Center' to 'Enable Monitoring in Azure Security Center'
2020-02-20 08:25:18	remove Policy [Deprecated]: Access to App Services should be restricted (1a833ff1-d297-4a0f-9944-888428f8e0ff) remove Policy [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM (201ea587-7c90-41c3-910f-c280ae01cfd6)
2019-12-04 08:49:52	remove Policy Metric alert rules should be configured on Batch accounts (26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7)
2019-11-27 16:13:13	add Policy [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d) add Policy [Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602)
2019-10-29 23:53:40	add Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5) add Policy Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f) add Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef) add Policy Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193) add Policy Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15) add Policy App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) add Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) add Policy App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332) add Policy App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b)

Policy count

Total Policies: 206
Builtin Policies: 206
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	fc5e4038-4584-4632-8c85-c0448d374b2c	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed	8dfab9c4-fe7b-49ad-85e4-1e9be085358f	Kubernetes	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed	6b2122c1-8120-4ff5-801b-17625a355590	Kubernetes	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Certificates should have the specified maximum validity period	0a075868-4c26-42ef-914c-5bc007359560	Key Vault	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	Preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines	672fe5a1-2fcd-42d7-b85d-902b6e28c6ff	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets	a21f8c92-9e22-4f09-b759-50500d1d2dda	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines	1cb4d9c2-f88f-4069-bee0-dba239a57b09	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets	f655e522-adff-494d-95c2-52d4f6d56a42	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Kubernetes clusters should gate deployment of vulnerable images	13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	Preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	842c54e8-c2f9-4d79-ae8d-38d8b8019373	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Machines should be configured to periodically check for missing system updates	bd876905-5b84-4f73-ab2d-2e7a7c4568d9	Update Management Center	Default Audit Allowed Audit, Deny, Disabled	Preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	04c4380f-3fae-46e8-96c9-30193528f602	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	2f2ee1de-44aa-4762-b6bd-0893fc3f306d	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: Private endpoint should be configured for Key Vault	5f0bc445-3935-4915-9981-011aa2b46147	Key Vault	Default Audit Allowed Audit, Deny, Disabled	Preview
[Preview]: Secure Boot should be enabled on supported Windows virtual machines	97566dd7-78ae-4997-8b36-1c7bfe0d8121	Security Center	Default Audit Allowed Audit, Disabled	Preview
[Preview]: Storage account public access should be disallowed	4fa4b6c0-31ca-4c0d-b10d-24b96f62a751	Storage	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	Preview
[Preview]: System updates should be installed on your machines (powered by Update Center)	f85bf3e0-d513-442e-89c3-1784ad63382b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	Preview
[Preview]: vTPM should be enabled on supported virtual machines	1c30f9cd-b84c-49cc-aa2c-9288447cc3b3	Security Center	Default Audit Allowed Audit, Disabled	Preview
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Accounts with owner permissions on Azure resources should be MFA enabled	e3e008c3-56b9-4133-8fd7-d3347377402a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Accounts with read permissions on Azure resources should be MFA enabled	81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Accounts with write permissions on Azure resources should be MFA enabled	931e118d-50a1-4457-a5e4-78550e086c52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines	08e6af2d-db70-460a-bfe9-d5bd474ba9d6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Allowlist rules in your adaptive application control policy should be updated	123a3936-f020-408a-ba0c-47873faf1534	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
API Management services should use a virtual network	ef619a2c-cc4d-4d03-b2ba-8c94a834d85b	API Management	Default Audit Allowed Audit, Disabled	GA
App Configuration should use private link	ca610c1d-041c-4332-9d88-7ed3094967c7	App Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled	5bb220d9-2698-4ee4-8404-b9c30c9df609	App Service	Default Audit Allowed Audit, Disabled	GA
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should have resource logs enabled	91a78b24-f231-4a8a-8da9-02c35b2b6510	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should not have CORS configured to allow every resource to access your apps	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	GA
App Service apps should require FTPS only	4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should use managed identity	2b9ad585-36bc-4615-b300-fd4435808332	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps should use the latest TLS version	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps that use Java should use the latest 'Java version'	496223c3-ad65-4ecd-878a-bae78737e9ed	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps that use PHP should use the latest 'PHP version'	7261b898-8a84-4db8-9e04-18527132abb3	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
App Service apps that use Python should use the latest 'Python version'	7008174a-fd10-4ef0-817e-fc820a951d73	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Audit usage of custom RBAC rules	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	Default Audit Allowed Audit, Disabled	GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Authentication to Linux machines should require SSH keys	630c64f9-8b6b-4c64-b511-6544ceff6fd6	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Authorized IP ranges should be defined on Kubernetes Services	0e246bcf-5f6f-4f87-bc6f-775d4712c7ea	Security Center	Default Audit Allowed Audit, Disabled	GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription	475aae12-b88a-4572-8b36-9b712b2b3a17	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default Audit Allowed Audit, Deny, Disabled	GA
Azure Backup should be enabled for Virtual Machines	013e242c-8828-4970-87b3-ab247555486d	Backup	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Cache for Redis should use private link	7803067c-7d34-46e3-8c79-0ca68fc4036d	Cache	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Cosmos DB accounts should have firewall rules	862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb	Cosmos DB	Default Deny Allowed Audit, Deny, Disabled	GA
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest	1f905d99-2ab7-462c-a6b0-f709acca6c8f	Cosmos DB	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Azure DDoS Protection Standard should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for App Service should be enabled	2913021d-f2fd-4f3d-b958-22354e2bdbcb	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for Azure SQL Database servers should be enabled	7fe3b40f-802b-4cdd-8bd4-fd799c948cc2	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for DNS should be enabled	bdc59948-5574-49b3-bb91-76b7c986428d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for Key Vault should be enabled	0e6763cc-5078-4e64-889d-ff4d9a839047	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for open-source relational databases should be enabled	0a9fbe0d-c5c4-4da8-87d8-f4fd77338835	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for Resource Manager should be enabled	c3d20c29-b36d-48fe-808b-99a87530ad99	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for servers should be enabled	4da35fc9-c9e7-4960-aec9-797fe7d9051d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for SQL servers on machines should be enabled	6581d072-105e-4418-827f-bd446d56421b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Defender for Storage should be enabled	308fbb08-4ab8-4e67-9b29-592e93fb94fa	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Azure Event Grid domains should use private link	9830b652-8523-49cc-b1b3-e17dce1127ca	Event Grid	Default Audit Allowed Audit, Disabled	GA
Azure Event Grid topics should use private link	4b90e17e-8448-49db-875e-bd83fb6f804f	Event Grid	Default Audit Allowed Audit, Disabled	GA
Azure Key Vault should have firewall enabled	55615ac9-af46-4a59-874e-391cc3dfb490	Key Vault	Default Audit Allowed Audit, Deny, Disabled	GA
Azure Kubernetes Service clusters should have Defender profile enabled	a1840de2-8088-4ea8-b153-b4c723e9cb01	Kubernetes	Default Audit Allowed Audit, Disabled	GA
Azure Machine Learning workspaces should be encrypted with a customer-managed key	ba769a63-b8cc-4b2d-abf6-ac33c7204be8	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	GA
Azure Machine Learning workspaces should use private link	40cec1dd-a100-4920-b15b-3024fe8901ab	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	GA
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters	0a15ec92-a229-4763-bb14-0ea34a568f8d	Kubernetes	Default Audit Allowed Audit, Disabled	GA
Azure SignalR Service should use private link	2393d2cf-a342-44cd-a2e2-fe0188fd1234	SignalR	Default Audit Allowed Audit, Disabled	GA
Azure Spring Cloud should use network injection	af35e2a4-ef96-44e7-a9ae-853dd97032c4	App Platform	Default Audit Allowed Audit, Disabled, Deny	GA
Azure Web Application Firewall should be enabled for Azure Front Door entry-points	055aa869-bc98-4af8-bafc-23f1ab6ffe2c	Network	Default Audit Allowed Audit, Deny, Disabled	GA
Blocked accounts with owner permissions on Azure resources should be removed	0cfea604-3201-4e14-88fc-fae4c427a6c5	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Blocked accounts with read and write permissions on Azure resources should be removed	8d7e1fde-fe26-4b5f-8108-f8e432cbc2be	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Cognitive Services accounts should disable public network access	0725b4dd-7e76-479c-a735-68e7ee23d5ca	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	GA
Cognitive Services accounts should enable data encryption with a customer-managed key	67121cc7-ff39-4ab8-b7e3-95b84dab487d	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	GA
Cognitive Services accounts should restrict network access	037eea7a-bd0a-46c5-9a66-03aea78705d3	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	GA
Container registries should be encrypted with a customer-managed key	5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580	Container Registry	Default Audit Allowed Audit, Deny, Disabled	GA
Container registries should not allow unrestricted network access	d0793b48-0edc-4296-a390-4c75d1bdfd71	Container Registry	Default Audit Allowed Audit, Deny, Disabled	GA
Container registries should use private link	e8eef0a8-67cf-4eb4-9386-14b0e78733d4	Container Registry	Default Audit Allowed Audit, Disabled	GA
Container registry images should have vulnerability findings resolved	5f0f936f-2f01-4bf5-b6be-d423792fa562	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Cosmos DB database accounts should have local authentication methods disabled	5450f5bd-9c72-4390-a9c4-a7aba4edfdd2	Cosmos DB	Default Audit Allowed Audit, Deny, Disabled	GA
Deprecated accounts should be removed from your subscription	6b1cbf55-e8b6-442f-ba4c-7246b6381474	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Deprecated accounts with owner permissions should be removed from your subscription	ebb62a0c-3560-49e1-89ed-27e074e9f8ad	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Email notification for high severity alerts should be enabled	6e2593d9-add6-4083-9c9b-4b7d2188c899	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Email notification to subscription owner for high severity alerts should be enabled	0b15565f-aa9e-48ba-8619-45960f2c314d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Endpoint protection health issues should be resolved on your machines	8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Endpoint protection should be installed on your machines	1f7c564c-0a90-4d44-b7e1-9d456cffaee8	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Endpoint protection solution should be installed on virtual machine scale sets	26a828e1-e88f-464e-bbb3-c134a282b9de	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Enforce SSL connection should be enabled for MySQL database servers	e802a67a-daf5-4436-9ea6-f6d821dd0c5d	SQL	Default Audit Allowed Audit, Disabled	GA
Enforce SSL connection should be enabled for PostgreSQL database servers	d158790f-bfb0-486c-8631-2dc6b4e8e6af	SQL	Default Audit Allowed Audit, Disabled	GA
External accounts with owner permissions should be removed from your subscription	f8456c1c-aa66-4dfb-861a-25d127b775c9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
External accounts with read permissions should be removed from your subscription	5f76cf89-fbf2-47fd-a3f4-b891fa780b60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
External accounts with write permissions should be removed from your subscription	5c607a2e-c700-4744-8254-d77e7c9eb5e4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps should have 'Client Certificates (Incoming client certificates)' enabled	eaebaea7-8013-4ceb-9d14-7eb32271373c	App Service	Default Audit Allowed Audit, Disabled	GA
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps should not have CORS configured to allow every resource to access your apps	0820b7b9-23aa-4725-a1ce-ae4558f718e5	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	GA
Function apps should require FTPS only	399b2637-a50f-4f95-96f8-3a145476eb15	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps should use managed identity	0da106f2-4ca3-48e8-bc85-c638fe6aea8f	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps should use the latest TLS version	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps that use Java should use the latest 'Java version'	9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Function apps that use Python should use the latest 'Python version'	7238174a-fd10-4ef0-817e-fc820a951d73	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Geo-redundant backup should be enabled for Azure Database for MariaDB	0ec47710-77ff-4a3d-9181-6aa50af424d0	SQL	Default Audit Allowed Audit, Disabled	GA
Geo-redundant backup should be enabled for Azure Database for MySQL	82339799-d096-41ae-8538-b108becf0970	SQL	Default Audit Allowed Audit, Disabled	GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	48af4db5-9b8b-401c-8e74-076be876a430	SQL	Default Audit Allowed Audit, Disabled	GA
Guest accounts with owner permissions on Azure resources should be removed	339353f6-2387-4a45-abe4-7f529d121046	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Guest accounts with read permissions on Azure resources should be removed	e9ac8f8e-ce22-4355-8f04-99b911d6be52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Guest accounts with write permissions on Azure resources should be removed	94e1c2ac-cbbe-4cac-a2b5-389c812dee87	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Guest Configuration extension should be installed on your machines	ae89ebca-1c92-4898-ac2c-9f63decb045c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
IP Forwarding on your virtual machine should be disabled	bd352bd5-2853-4985-bf0d-73806b4a5744	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Key Vault keys should have an expiration date	152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0	Key Vault	Default Audit Allowed Audit, Deny, Disabled	GA
Key Vault secrets should have an expiration date	98728c90-32c7-4049-8429-847dc0f4fe37	Key Vault	Default Audit Allowed Audit, Deny, Disabled	GA
Key vaults should have purge protection enabled	0b60c0b2-2dc2-4e1c-b5c9-abbed971de53	Key Vault	Default Audit Allowed Audit, Deny, Disabled	GA
Key vaults should have soft delete enabled	1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d	Key Vault	Default Audit Allowed Audit, Deny, Disabled	GA
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits	e345eecc-fa47-480f-9e88-67dcc122b164	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster containers should not share host process ID or host IPC namespace	47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster containers should only use allowed AppArmor profiles	511f5417-5d12-434d-ab2e-816901e72a5e	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster containers should only use allowed capabilities	c26596ff-4d70-4e6a-9a30-c2506bd2f80c	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster containers should only use allowed images	febd0533-8e55-448f-b837-bd0e06f16469	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster containers should run with a read only root file system	df49d893-a74c-421d-bc95-c663042e5b80	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster pod hostPath volumes should only use allowed host paths	098fc59e-46c7-4d99-9b16-64990e543d75	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster pods and containers should only run with approved user and group IDs	f06ddb64-5fa3-4b77-b166-acb36f7f6042	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster pods should only use approved host network and port range	82985f06-dc18-4a48-bc1c-b9f4f0098cfe	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster services should listen only on allowed ports	233a2a17-77ca-4fb1-9b6b-69223d272a44	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes cluster should not allow privileged containers	95edb821-ddaf-4404-9732-666045e056b4	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes clusters should be accessible only over HTTPS	1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes clusters should disable automounting API credentials	423dd1ba-798e-40e4-9c4d-b6902674b423	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes clusters should not allow container privilege escalation	1c6e92c9-99f0-4e55-9cf2-0c234dc48f99	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities	d2e7ea85-6b44-4317-a0be-1b951587f626	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Kubernetes clusters should not use the default namespace	9f061a12-e40d-4183-a00e-171812443373	Kubernetes	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Linux machines should have Log Analytics agent installed on Azure Arc	1e7fed80-8321-4605-b42c-65fc300f23a3	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Linux machines should meet requirements for the Azure compute security baseline	fc9b3da7-8347-4380-8e70-0a0361d8dedd	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring	a4fe33eb-e377-4efb-ab31-0784311bc499	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring	a3a6ea0c-e018-4933-9ef0-5aaa1501449b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Management ports should be closed on your virtual machines	22730e10-96f6-4aac-ad84-9383d35b5917	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
MFA should be enabled for accounts with write permissions on your subscription	9297c21d-2ed6-4474-b48f-163f75654ce3	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
MFA should be enabled on accounts with owner permissions on your subscription	aa633080-8b72-40c4-a2d7-d00c03e80bed	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
MFA should be enabled on accounts with read permissions on your subscription	e3576e28-8b17-4677-84c3-db2990658d64	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Microsoft Defender CSPM should be enabled	1f90fc71-a595-4066-8974-d4d0802e8ef0	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Microsoft Defender for Containers should be enabled	1c988dd6-ade4-430f-a608-2a3e5b0a6d38	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
MySQL servers should use customer-managed keys to encrypt data at rest	83cef61d-dbd1-4b20-a4fc-5fbc7da10833	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Network Watcher should be enabled	b6e2945c-0b7b-40f5-9233-7a5323b5cdc6	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Non-internet-facing virtual machines should be protected with network security groups	bb91dfba-c30d-4263-9add-9c2384e659a6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest	18adea5e-f416-4d0f-8aa8-d24321e3e274	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Private endpoint connections on Azure SQL Database should be enabled	7698e800-9299-47a6-b3b6-5a0fee576eed	SQL	Default Audit Allowed Audit, Disabled	GA
Private endpoint should be enabled for MariaDB servers	0a1302fb-a631-4106-9753-f3d494733990	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Private endpoint should be enabled for MySQL servers	7595c971-233d-4bcf-bd18-596129188c49	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Private endpoint should be enabled for PostgreSQL servers	0564d078-92f5-4f97-8398-b9f58a51f70b	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Public network access on Azure SQL Database should be disabled	1b8ca024-1d5c-4dec-8995-b1a932b41780	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
Public network access should be disabled for MariaDB servers	fdccbe47-f3e3-4213-ad5d-ea459b2fa077	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
Public network access should be disabled for MySQL servers	d9844e8a-1437-4aeb-a32c-0c992f056095	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
Public network access should be disabled for PostgreSQL servers	b52376f7-9612-48a1-81cd-1ffe4b61032c	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
Resource logs in Azure Data Lake Store should be enabled	057ef27e-665e-4328-8ea3-04b3122bd9fb	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Azure Kubernetes Service should be enabled	245fc9df-fa96-4414-9a0b-3738c2f7341c	Kubernetes	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Batch accounts should be enabled	428256e6-1fac-4f48-a757-df34c2b3336d	Batch	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Data Lake Analytics should be enabled	c95c74d9-38fe-4f0d-af86-0c7d626a315c	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Event Hub should be enabled	83a214f7-d01a-484b-91a9-ed54470c9a6a	Event Hub	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in IoT Hub should be enabled	383856f8-de7f-44a2-81fc-e5135b5c2aa4	Internet of Things	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Key Vault should be enabled	cf820ca0-f99e-4f3e-84fb-66e913812d21	Key Vault	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Logic Apps should be enabled	34f95f76-5386-4de7-b824-0d8478470c9d	Logic Apps	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Search services should be enabled	b4330a05-a843-4bc8-bf9a-cacce50c67f4	Search	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Service Bus should be enabled	f8d36e2f-389b-4ee4-898d-21aeb69a0f45	Service Bus	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Resource logs in Virtual Machine Scale Sets should be enabled	7c1b1214-f927-48bf-8882-84f0af6588b1	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Role-Based Access Control (RBAC) should be used on Kubernetes Services	ac4a19c2-fa67-49b4-8ae5-0b2e78c49457	Security Center	Default Audit Allowed Audit, Disabled	GA
Running container images should have vulnerability findings resolved	0fc39691-5a3f-4e3e-94ee-2e6447309ad9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
SQL servers on machines should have vulnerability findings resolved	6ba6d016-e7c3-4842-b8f2-4992ebc0d72d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher	89099bee-89e0-4b26-a5f4-165451757743	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
Storage accounts should restrict network access using virtual network rules	2a1a9cdf-e04d-429a-8416-3bfb72a1b26f	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
Storage accounts should use customer-managed key for encryption	6fac406b-40ca-413b-bf8e-0bf964659c25	Storage	Default Audit Allowed Audit, Disabled	GA
Storage accounts should use private link	6edd7eda-6dd8-40f7-810d-67160c639cd9	Storage	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Subnets should be associated with a Network Security Group	e71308d3-144b-4262-b144-efdc3cc90517	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Subscriptions should have a contact email address for security issues	4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
System updates on virtual machine scale sets should be installed	c3f317a7-a95c-4547-b7e7-11017ebdf2fe	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity	d26f7642-7545-4e18-9b75-8c9bbdee3a9a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	Default Audit Allowed Audit, Deny, Disabled	GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	0961003e-5a0a-4549-abde-af6a37f2724d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
VM Image Builder templates should use private link	2154edb9-244f-4741-9970-660785bccdaa	VM Image Builder	Default Audit Allowed Audit, Disabled, Deny	GA
Vulnerabilities in container security configurations should be remediated	e8cbc669-f12d-49eb-93e7-9273119e9933	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Web Application Firewall (WAF) should be enabled for Application Gateway	564feb30-bf6a-4854-b4bb-0d2d2d1e6c66	Network	Default Audit Allowed Audit, Deny, Disabled	GA
Windows Defender Exploit Guard should be enabled on your machines	bed48b13-6647-468e-aa2f-1af1d3f4dd40	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Windows machines should have Log Analytics agent installed on Azure Arc	4078e558-bda6-41fb-9b3c-361e8875200d	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Windows machines should meet requirements of the Azure compute security baseline	72650e9f-97bc-4b2a-ab5f-9781a9fcecbc	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Windows web servers should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA

Roles used

No Roles used

JSON