AzInitiativeAdvertizer

last sync: 2021-Jun-15 14:05:43 UTC

Azure Policy Initiative

[Preview]: Australian Government ISM PROTECTED

Name[Preview]: Australian Government ISM PROTECTED
Azure Portal
Id27272c0b-c225-4cc3-b8b0-f2534b093077
Version4.0.1-preview
details on versioning
CategoryRegulatory Compliance
Microsoft docs
DescriptionThis initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.
TypeBuiltIn
DeprecatedFalse
PreviewTrue
History
Date/Time (UTC ymd) (i) Changes
2021-01-22 09:14:56 remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2020-09-09 11:24:08 add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99)
add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f)
add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023)
remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba)
remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05)
remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe)
remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c)
2020-08-21 13:50:30 add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6)
add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
add Policy Windows machines should meet requirements for 'Security Settings - Account Policies' (f2143251-70de-4e81-87a8-36cee5a2f29d)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' (e3d95ab7-f47a-49d8-a347-784177b6c94c)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' (ddb53c61-9db4-41d4-a953-2abff5b66c12)
2020-06-16 14:55:25 Name change: '[Preview]: Audit Australian Government ISM PROTECTED controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: Australian Government ISM PROTECTED'
Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.'
2020-04-22 04:43:14 add Initiative 27272c0b-c225-4cc3-b8b0-f2534b093077
Policy count Total Policies: 61
Builtin Policies: 61
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect State
[Preview]: Log Analytics Agent should be enabled for listed virtual machine images 32133ab0-ee4b-4b44-98d6-042180979d50 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 Preview
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration Fixed: modify GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration Fixed: modify GA
Advanced data security should be enabled on SQL Managed Instance abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Advanced data security should be enabled on your SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
API App should only be accessible over HTTPS b7ddfbdc-1260-477d-91fd-98bd9be789a6 App Service Default: Audit
Allowed: (Audit, Disabled)		 GA
Audit diagnostic setting 7f89b1eb-583c-429a-8828-af049802c1d9 Monitoring Fixed: AuditIfNotExists GA
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Audit Linux machines that have accounts without passwords f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Compute Fixed: auditIfNotExists GA
Audit Windows machines that have the specified members in the Administrators group 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Guest Configuration Fixed: auditIfNotExists GA
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Azure subscriptions should have a log profile for Activity Log 7796937f-307b-4598-941c-67d3a05ebfe7 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
CORS should not allow every resource to access your Web Applications 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration Fixed: deployIfNotExists GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration Fixed: deployIfNotExists GA
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Disk encryption should be applied on virtual machines 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Function App should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default: Audit
Allowed: (Audit, Disabled)		 GA
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Latest TLS version should be used in your API App 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Latest TLS version should be used in your Function App f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Latest TLS version should be used in your Web App f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
MFA should be enabled accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257 Compute Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb Cache Default: Audit
Allowed: (Audit, Deny, Disabled)		 GA
Remote debugging should be turned off for API Apps e9c8d085-d9cc-4b17-9cdc-059f1f01f19e App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Remote debugging should be turned off for Function Apps 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Remote debugging should be turned off for Web Applications cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default: Audit
Allowed: (Audit, Deny, Disabled)		 GA
Service Fabric clusters should only use Azure Active Directory for client authentication b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric Default: Audit
Allowed: (Audit, Deny, Disabled)		 GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default: Audit
Allowed: (Audit, Deny, Disabled)		 GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Virtual machines should be connected to a specified workspace f47b5582-33ec-4c5c-87c0-b010a6b2e917 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Web Application should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default: Audit
Allowed: (Audit, Disabled)		 GA
Windows machines should meet requirements for 'Security Settings - Account Policies' f2143251-70de-4e81-87a8-36cee5a2f29d Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
Windows web servers should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)		 GA
JSON 
{
  "properties": {
  "displayName": "[Preview]: Australian Government ISM PROTECTED",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.",
    "metadata": {
      "version": "4.0.1-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "membersToExclude": {
        "type": "String",
        "metadata": {
          "displayName": "List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics Workspace Id that VMs should be configured for",
          "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."
        }
      },
      "vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "Enable or disable the monitoring of Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive Network Hardening recommendations should be applied on internet facing virtual machines",
          "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateMoreThanOneOwnerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "There should be more than one owner assigned to your subscription",
          "description": "Enable or disable the monitoring of minimum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Disk encryption should be applied on virtual machines",
          "description": "Enable or disable the monitoring for VM disk encryption"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for Function App",
          "description": "Enable or disable the monitoring of remote debugging for Function App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Transparent Data Encryption on SQL databases should be enabled",
          "description": "Enable or disable the monitoring of unencrypted SQL databases"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "aadAuthenticationInSqlServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInRedisCacheMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Only secure connections to your Redis Cache should be enabled",
          "description": "Enable or disable the monitoring of resource logs in Azure Redis Cache"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssEndpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "Enable or disable the monitoring of virtual machine scale sets endpoint protection monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToIncludeWindows": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": [
          
        ]
      },
      "listOfImageIdToIncludeLinux": {
        "type": "Array",
        "metadata": {
          "displayName": "Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": [
          
        ]
      },
      "auditUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Audit unrestricted network access to storage accounts",
          "description": "Enable or disable the monitoring of network access to storage account"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "Enable or disable the monitoring of virtual machine scale sets OS vulnerabilities monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "secureTransferToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Secure transfer to storage accounts should be enabled",
          "description": "Enable or disable the monitoring of secure transfer to storage account"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveApplicationControlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Adaptive Application Controls should be enabled on virtual machines",
          "description": "Enable or disable the monitoring of allowed application list in Azure Security Center"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateLessThanOwnersMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "A maximum of 3 owners should be designated for your subscription",
          "description": "Enable or disable the monitoring of maximum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "serverVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
          "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "CORS should not allow every resource to access your Web Application",
          "description": "Enable or disable the monitoring of CORS restrictions for Web Application"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with write permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deprecated accounts should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Function App should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS in Function App v2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vulnerabilityAssessmentMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
          "deprecated": true
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      },
      "logProfilesForActivityLogEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Azure subscriptions should have a log profile for Activity Log",
          "description": "Enable or disable the monitoring of a log profile for Activity Log in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "List of resource types that should have resource logs enabled",
          "strongType": "resourceTypes"
        }
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates should be installed on your machines",
          "description": "Enable or disable the monitoring of system updates reporting"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used for App Service",
          "description": "Enable or disable the monitoring of the latest TLS version in App Service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled accounts with write permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "anitmalwareRequiredForWindowsServersEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft IaaSAntimalware extension should be deployed on Windows servers",
          "description": "Enable or disable the monitoring of Windows server VMs without Microsoft IaaSAntimalware extension deployed"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Web Application should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS in Web App v2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vnetEnableDDoSProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "DDoS Protection Standard should be enabled",
          "description": "Enable or disable the monitoring of DDoS protection for all virtual networks with a subnet that is part of an application gateway with a public IP."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Advanced data security should be enabled on your SQL servers",
          "description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Advanced data security should be enabled on SQL Managed Instance",
          "description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "endpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Monitor missing endpoint protection in Azure Security Center",
          "description": "Enable or disable the monitoring of endpoint protection"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "jitNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Just-in-time network access control should be applied on virtual machines",
          "description": "Enable or disable the monitoring of network just-in-time access"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "minimumTLSVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "aadAuthenticationInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "apiAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "App Service should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS v2 in App Service"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "System updates on virtual machine scale sets should be installed",
          "description": "Enable or disable the monitoring of virtual machine scale sets system updates reporting"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for Web Application",
          "description": "Enable or disable the monitoring of remote debugging for Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemConfigurationsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in security configuration on your machines should be remediated",
          "description": "Enable or disable the monitoring of OS vulnerabilities (based on a configured baseline)"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "MFA should be enabled on accounts with read permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "enforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "maximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "minimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "minimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "10"
      },
      "passwordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "allowedValues": [
          "0",
          "1"
        ],
        "defaultValue": "1"
      },
      "containerBenchmarkMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerabilities in container security configurations should be remediated",
          "description": "Enable or disable the monitoring of container benchmark"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Remote debugging should be turned off for App Service",
          "description": "Enable or disable the monitoring of remote debugging for App Service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Vulnerability assessment should be enabled on your SQL servers",
          "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used in your Web App",
          "description": "Enable or disable the monitoring of the latest TLS version in Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Internet-facing virtual machines should be protected with Network Security Groups",
          "description": "Enable or disable the monitoring of NSGs on VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "External accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Latest TLS version should be used in your Function App",
          "description": "Enable or disable the monitoring of the latest TLS version in Function App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
          "displayName": "SQL databases should have vulnerability findings resolved",
          "description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {
          
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentEmailSettingForReceivingScanReports",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
          "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
          "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
          "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupMembersToExclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToExclude": {
          "value": "[parameters('membersToExclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
          "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
          "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {
          "listOfImageIdToInclude_windows": {
          "value": "[parameters('listOfImageIdToIncludeWindows')]"
          },
          "listOfImageIdToInclude_linux": {
          "value": "[parameters('listOfImageIdToIncludeLinux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
          "value": "[parameters('auditUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
          "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
          "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
          "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
          "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageVMSSAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
          "value": "[parameters('listOfImageIdToIncludeWindows')]"
          },
          "listOfImageIdToInclude_linux": {
          "value": "[parameters('listOfImageIdToIncludeLinux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logProfilesForActivityLog",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
        "parameters": {
          "effect": {
          "value": "[parameters('logProfilesForActivityLogEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
          "value": "[parameters('listOfResourceTypes')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
          "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "anitmalwareRequiredForWindowsServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {
          "effect": {
          "value": "[parameters('anitmalwareRequiredForWindowsServersEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
          "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
          "value": "[parameters('endpointProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
          "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditWindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "minimumTLSVersion": {
          "value": "[parameters('minimumTLSVersion')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
          "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
          "value": "[parameters('systemConfigurationsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {
          
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "enforcePasswordHistory": {
          "value": "[parameters('enforcePasswordHistory')]"
          },
          "maximumPasswordAge": {
          "value": "[parameters('maximumPasswordAge')]"
          },
          "minimumPasswordAge": {
          "value": "[parameters('minimumPasswordAge')]"
          },
          "minimumPasswordLength": {
          "value": "[parameters('minimumPasswordLength')]"
          },
          "passwordMustMeetComplexityRequirements": {
          "value": "[parameters('passwordMustMeetComplexityRequirements')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
          "value": "[parameters('containerBenchmarkMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
          "value": "[parameters('logAnalyticsWorkspaceId')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
          "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "27272c0b-c225-4cc3-b8b0-f2534b093077"
}