|
Initiative Rule
|
{
"properties": {
"displayName": "[Preview]: Australian Government ISM PROTECTED",
"policyType": "BuiltIn",
"description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.",
"metadata": {
"version": "3.0.0-preview",
"category": "Regulatory Compliance",
"preview": true
},
"parameters": {
"IncludeArcMachines": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Include Arc connected servers for Guest Configuration policies",
"description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"membersToExclude": {
"type": "String",
"metadata": {
"displayName": "[Preview]: List of users excluded from Windows VM Administrators group",
"description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
}
},
"logAnalyticsWorkspaceId": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Log Analytics Workspace Id that VMs should be configured for",
"description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."
}
},
"vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
"description": "Enable or disable the monitoring of Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"adaptiveNetworkHardeningsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines",
"description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityDesignateMoreThanOneOwnerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: There should be more than one owner assigned to your subscription",
"description": "Enable or disable the monitoring of minimum owners in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diskEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Disk encryption should be applied on virtual machines",
"description": "Enable or disable the monitoring for VM disk encryption"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"functionAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Remote debugging should be turned off for Function App",
"description": "Enable or disable the monitoring of remote debugging for Function App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlDbEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Transparent Data Encryption on SQL databases should be enabled",
"description": "Enable or disable the monitoring of unencrypted SQL databases"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerability assessment should be enabled on SQL Managed Instance",
"description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"aadAuthenticationInSqlServerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: An Azure Active Directory administrator should be provisioned for SQL servers",
"description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInRedisCacheMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Only secure connections to your Redis Cache should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Azure Redis Cache"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"vmssEndpointProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Endpoint protection solution should be installed on virtual machine scale sets",
"description": "Enable or disable the monitoring of virtual machine scale sets endpoint protection monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"listOfImageIdToIncludeWindows": {
"type": "Array",
"metadata": {
"displayName": "[Preview]: Optional: List of VM images that have supported Windows OS to add to scope",
"description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
},
"defaultValue": [
]
},
"listOfImageIdToIncludeLinux": {
"type": "Array",
"metadata": {
"displayName": "[Preview]: Optional: List of VM images that have supported Linux OS to add to scope",
"description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
},
"defaultValue": [
]
},
"auditUnrestrictedNetworkToStorageAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Audit unrestricted network access to storage accounts",
"description": "Enable or disable the monitoring of network access to storage account"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"vmssOsVulnerabilitiesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
"description": "Enable or disable the monitoring of virtual machine scale sets OS vulnerabilities monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"secureTransferToStorageAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Secure transfer to storage accounts should be enabled",
"description": "Enable or disable the monitoring of secure transfer to storage account"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"adaptiveApplicationControlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Adaptive Application Controls should be enabled on virtual machines",
"description": "Enable or disable the monitoring of allowed application list in Azure Security Center"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityDesignateLessThanOwnersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: A maximum of 3 owners should be designated for your subscription",
"description": "Enable or disable the monitoring of maximum owners in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"serverVulnerabilityAssessmentEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: A vulnerability assessment solution should be enabled on your virtual machines",
"description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppRestrictCORSAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: CORS should not allow every resource to access your Web Application",
"description": "Enable or disable the monitoring of CORS restrictions for Web Application"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: External accounts with write permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveDeprecatedAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Deprecated accounts should be removed from your subscription",
"description": "Enable or disable the monitoring of deprecated acounts in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"functionAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Function App should only be accessible over HTTPS v2",
"description": "Enable or disable the monitoring of the use of HTTPS in Function App v2"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"vulnerabilityAssessmentMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
"description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"logProfilesForActivityLogEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Azure subscriptions should have a log profile for Activity Log",
"description": "Enable or disable the monitoring of a log profile for Activity Log in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"listOfResourceTypes": {
"type": "Array",
"metadata": {
"displayName": "[Preview]: List of resource types that should have diagnostic logs enabled",
"strongType": "resourceTypes"
}
},
"systemUpdatesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: System updates should be installed on your machines",
"description": "Enable or disable the monitoring of system updates reporting"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"apiAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Latest TLS version should be used for App Service",
"description": "Enable or disable the monitoring of the latest TLS version in App Service"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForWritePermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: MFA should be enabled accounts with write permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"anitmalwareRequiredForWindowsServersEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Microsoft IaaSAntimalware extension should be deployed on Windows servers",
"description": "Enable or disable the monitoring of Windows server VMs without Microsoft IaaSAntimalware extension deployed"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Web Application should only be accessible over HTTPS v2",
"description": "Enable or disable the monitoring of the use of HTTPS in Web App v2"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"vnetEnableDDoSProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: DDoS Protection Standard should be enabled",
"description": "Enable or disable the monitoring of DDoS protection for all virtual networks with a subnet that is part of an application gateway with a public IP."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: MFA should be enabled on accounts with owner permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServerAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Advanced data security should be enabled on your SQL servers",
"description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Advanced data security should be enabled on SQL Managed Instance",
"description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"endpointProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Monitor missing endpoint protection in Azure Security Center",
"description": "Enable or disable the monitoring of endpoint protection"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"jitNetworkAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Just-in-time network access control should be applied on virtual machines",
"description": "Enable or disable the monitoring of network just-in-time access"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"minimumTLSVersion": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Minimum TLS version",
"description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
},
"allowedValues": [
"1.2"
],
"defaultValue": "1.2"
},
"aadAuthenticationInServiceFabricMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Service Fabric clusters should only use Azure Active Directory for client authentication",
"description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"apiAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: App Service should only be accessible over HTTPS v2",
"description": "Enable or disable the monitoring of the use of HTTPS v2 in App Service"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"vmssSystemUpdatesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: System updates on virtual machine scale sets should be installed",
"description": "Enable or disable the monitoring of virtual machine scale sets system updates reporting"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Remote debugging should be turned off for Web Application",
"description": "Enable or disable the monitoring of remote debugging for Web App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"systemConfigurationsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerabilities in security configuration on your machines should be remediated",
"description": "Enable or disable the monitoring of OS vulnerabilities (based on a configured baseline)"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForReadPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: MFA should be enabled on accounts with read permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"enforcePasswordHistory": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Enforce password history",
"description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
},
"defaultValue": "24"
},
"maximumPasswordAge": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Maximum password age",
"description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
},
"defaultValue": "1,70"
},
"minimumPasswordAge": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Minimum password age",
"description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
},
"defaultValue": "1"
},
"minimumPasswordLength": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Minimum password length",
"description": "Specifies the minimum number of characters that a user account password may contain."
},
"defaultValue": "10"
},
"passwordMustMeetComplexityRequirements": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Password must meet complexity requirements",
"description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
},
"allowedValues": [
"0",
"1"
],
"defaultValue": "1"
},
"containerBenchmarkMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerabilities in container security configurations should be remediated",
"description": "Enable or disable the monitoring of container benchmark"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"apiAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Remote debugging should be turned off for App Service",
"description": "Enable or disable the monitoring of remote debugging for App Service"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Deprecated accounts with owner permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vulnerabilityAssessmentOnServerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerability assessment should be enabled on your SQL servers",
"description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Latest TLS version should be used in your Web App",
"description": "Enable or disable the monitoring of the latest TLS version in Web App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Internet-facing virtual machines should be protected with Network Security Groups",
"description": "Enable or disable the monitoring of NSGs on VMs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: External accounts with owner permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"functionAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Latest TLS version should be used in your Function App",
"description": "Enable or disable the monitoring of the latest TLS version in Function App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlDbVulnerabilityAssesmentMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "[Preview]: Vulnerabilities on your SQL databases should be remediated",
"description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
"parameters": {
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentEmailSettingForReceivingScanReports",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
"parameters": {
"effect": {
"value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
"parameters": {
"effect": {
"value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diskEncryptionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
"parameters": {
"effect": {
"value": "[parameters('diskEncryptionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
"parameters": {
"effect": {
"value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "AdministratorsGroupMembersToExclude",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"membersToExclude": {
"value": "[parameters('membersToExclude')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
"parameters": {
"effect": {
"value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
"parameters": {
"effect": {
"value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
"parameters": {
"effect": {
"value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "logAnalyticsOSImageAudit",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
"parameters": {
"listOfImageIdToInclude_windows": {
"value": "[parameters('listOfImageIdToIncludeWindows')]"
},
"listOfImageIdToInclude_linux": {
"value": "[parameters('listOfImageIdToIncludeLinux')]"
}
}
},
{
"policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
}
}
},
{
"policyDefinitionReferenceId": "auditUnrestrictedNetworkToStorageAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
"parameters": {
"effect": {
"value": "[parameters('auditUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
"parameters": {
"effect": {
"value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
"parameters": {
"effect": {
"value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
"parameters": {
"effect": {
"value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
"parameters": {
"effect": {
"value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "serverVulnerabilityAssessment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
"parameters": {
"effect": {
"value": "[parameters('serverVulnerabilityAssessmentEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
"parameters": {
"effect": {
"value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "logAnalyticsOSImageVMSSAudit",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
"parameters": {
"listOfImageIdToInclude_windows": {
"value": "[parameters('listOfImageIdToIncludeWindows')]"
},
"listOfImageIdToInclude_linux": {
"value": "[parameters('listOfImageIdToIncludeLinux')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
"parameters": {
"effect": {
"value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "logProfilesForActivityLog",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
"parameters": {
"effect": {
"value": "[parameters('logProfilesForActivityLogEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "auditDiagnosticSetting",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
"parameters": {
"listOfResourceTypes": {
"value": "[parameters('listOfResourceTypes')]"
}
}
},
{
"policyDefinitionReferenceId": "systemUpdatesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
"parameters": {
"effect": {
"value": "[parameters('systemUpdatesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
"parameters": {
"effect": {
"value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "anitmalwareRequiredForWindowsServers",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
"parameters": {
"effect": {
"value": "[parameters('anitmalwareRequiredForWindowsServersEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
"parameters": {
"effect": {
"value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
"parameters": {
"effect": {
"value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
"parameters": {
"effect": {
"value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
"parameters": {
"effect": {
"value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "endpointProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
"parameters": {
"effect": {
"value": "[parameters('endpointProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
"parameters": {
"effect": {
"value": "[parameters('jitNetworkAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "auditWindowsTLS",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"minimumTLSVersion": {
"value": "[parameters('minimumTLSVersion')]"
}
}
},
{
"policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
"parameters": {
"effect": {
"value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
"parameters": {
"effect": {
"value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
"parameters": {
"effect": {
"value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
"parameters": {
"effect": {
"value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "systemConfigurationsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
"parameters": {
"effect": {
"value": "[parameters('systemConfigurationsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
},
{
"policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
},
{
"policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
},
{
"policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
"parameters": {
}
},
{
"policyDefinitionReferenceId": "AzureBaselineSecuritySettingsAccountPolicies",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"enforcePasswordHistory": {
"value": "[parameters('enforcePasswordHistory')]"
},
"maximumPasswordAge": {
"value": "[parameters('maximumPasswordAge')]"
},
"minimumPasswordAge": {
"value": "[parameters('minimumPasswordAge')]"
},
"minimumPasswordLength": {
"value": "[parameters('minimumPasswordLength')]"
},
"passwordMustMeetComplexityRequirements": {
"value": "[parameters('passwordMustMeetComplexityRequirements')]"
}
}
},
{
"policyDefinitionReferenceId": "containerBenchmarkMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
"parameters": {
"effect": {
"value": "[parameters('containerBenchmarkMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
"parameters": {
"effect": {
"value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
"parameters": {
"effect": {
"value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
"parameters": {
"logAnalyticsWorkspaceId": {
"value": "[parameters('logAnalyticsWorkspaceId')]"
}
}
},
{
"policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
"parameters": {
"effect": {
"value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
"parameters": {
"effect": {
"value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
"parameters": {
"effect": {
"value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
}
}
}
]
},
"id": "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077",
"type": "Microsoft.Authorization/policySetDefinitions",
"name": "27272c0b-c225-4cc3-b8b0-f2534b093077"
}
|