last sync: 2020-Sep-18 14:08:07 UTC

Azure Policy Initiative

[Preview]: Australian Government ISM PROTECTED

Initiative DisplayName [Preview]: Australian Government ISM PROTECTED
Initiative Id 27272c0b-c225-4cc3-b8b0-f2534b093077
Initiative Category Regulatory Compliance
Initiative Description This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.
Initiative Type BuiltIn
Initiative Changes
Date/Time (UTC ymd) (i) Change(s)
2020-09-09 11:24:08 add Policy Audit Windows web servers that are not using secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba)
add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8)
add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99)
remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83)
remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c)
add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe)
add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f)
remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592)
2020-08-21 13:50:30 remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' (e3d95ab7-f47a-49d8-a347-784177b6c94c)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e)
add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6)
add Policy Windows machines should meet requirements for 'Security Settings - Account Policies' (f2143251-70de-4e81-87a8-36cee5a2f29d)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' (ddb53c61-9db4-41d4-a953-2abff5b66c12)
2020-06-16 14:55:25 change Description Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.'
change DisplayName Name change: '[Preview]: Audit Australian Government ISM PROTECTED controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: Australian Government ISM PROTECTED'
2020-04-22 04:43:14 add Initiative 27272c0b-c225-4cc3-b8b0-f2534b093077
Initiative Policies count Total Policies: 62
Builtin Policies: 62/62
Static Policies: 0/62
Initiative Policies
Policy DisplayName Policy Id
Latest TLS version should be used in your API App 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
CORS should not allow every resource to access your Web Applications 5744710e-cc2f-4ee8-8809-3b11e89f4bc9
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9
Advanced data security should be enabled on your SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
Audit diagnostic setting 7f89b1eb-583c-429a-8828-af049802c1d9
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257
Audit Windows machines that have the specified members in the Administrators group 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f
Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6
Latest TLS version should be used in your Function App f9d614c5-c173-4d56-95a7-b4437057d193
Windows machines should meet requirements for 'Security Settings - Account Policies' f2143251-70de-4e81-87a8-36cee5a2f29d
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4
Audit Windows web servers that are not using secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9
Azure subscriptions should have a log profile for Activity Log 7796937f-307b-4598-941c-67d3a05ebfe7
Vulnerabilities should be remediated by a Vulnerability Assessment solution 760a85ff-6162-42b3-8d70-698e268f648c
Latest TLS version should be used in your Web App f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9
Service Fabric clusters should only use Azure Active Directory for client authentication b54ed75b-3e1a-44ac-a333-05ba39b99ff0
Vulnerabilities on your SQL databases should be remediated feedbf84-6b99-488c-acc2-71c829aa5ffc
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a
Remote debugging should be turned off for Web Applications cb510bfd-1cba-4d9f-a230-cb0976f4bb71
Advanced data security should be enabled on SQL Managed Instance abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
Remote debugging should be turned off for API Apps e9c8d085-d9cc-4b17-9cdc-059f1f01f19e
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe
Audit Log Analytics workspace for VM - Report Mismatch f47b5582-33ec-4c5c-87c0-b010a6b2e917
Remote debugging should be turned off for Function Apps 0e60b895-3786-45da-8377-9c6b4b6ac5f9
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd
API App should only be accessible over HTTPS b7ddfbdc-1260-477d-91fd-98bd9be789a6
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9
Function App should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60
Audit Linux machines that have accounts without passwords f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed
Disk encryption should be applied on virtual machines 0961003e-5a0a-4549-abde-af6a37f2724d
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9
[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 32133ab0-ee4b-4b44-98d6-042180979d50
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
MFA should be enabled accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3
Web Application should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de
Initiative Rule
{
  "properties": {
  "displayName": "[Preview]: Australian Government ISM PROTECTED",
    "policyType": "BuiltIn",
    "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.",
    "metadata": {
      "version": "3.0.0-preview",
      "category": "Regulatory Compliance",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Include Arc connected servers for Guest Configuration policies",
          "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "membersToExclude": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: List of users excluded from Windows VM Administrators group",
          "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
        }
      },
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Log Analytics Workspace Id that VMs should be configured for",
          "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for."
        }
      },
      "vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports",
          "description": "Enable or disable the monitoring of Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "adaptiveNetworkHardeningsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines",
          "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateMoreThanOneOwnerMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: There should be more than one owner assigned to your subscription",
          "description": "Enable or disable the monitoring of minimum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diskEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Disk encryption should be applied on virtual machines",
          "description": "Enable or disable the monitoring for VM disk encryption"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Remote debugging should be turned off for Function App",
          "description": "Enable or disable the monitoring of remote debugging for Function App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbEncryptionMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Transparent Data Encryption on SQL databases should be enabled",
          "description": "Enable or disable the monitoring of unencrypted SQL databases"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerability assessment should be enabled on SQL Managed Instance",
          "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "aadAuthenticationInSqlServerMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: An Azure Active Directory administrator should be provisioned for SQL servers",
          "description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "diagnosticsLogsInRedisCacheMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Only secure connections to your Redis Cache should be enabled",
          "description": "Enable or disable the monitoring of diagnostic logs in Azure Redis Cache"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssEndpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Endpoint protection solution should be installed on virtual machine scale sets",
          "description": "Enable or disable the monitoring of virtual machine scale sets endpoint protection monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfImageIdToIncludeWindows": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Optional: List of VM images that have supported Windows OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": [
          
        ]
      },
      "listOfImageIdToIncludeLinux": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Optional: List of VM images that have supported Linux OS to add to scope",
          "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
        },
        "defaultValue": [
          
        ]
      },
      "auditUnrestrictedNetworkToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit unrestricted network access to storage accounts",
          "description": "Enable or disable the monitoring of network access to storage account"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssOsVulnerabilitiesMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
          "description": "Enable or disable the monitoring of virtual machine scale sets OS vulnerabilities monitoring"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "secureTransferToStorageAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Secure transfer to storage accounts should be enabled",
          "description": "Enable or disable the monitoring of secure transfer to storage account"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "adaptiveApplicationControlsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Adaptive Application Controls should be enabled on virtual machines",
          "description": "Enable or disable the monitoring of allowed application list in Azure Security Center"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityDesignateLessThanOwnersMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: A maximum of 3 owners should be designated for your subscription",
          "description": "Enable or disable the monitoring of maximum owners in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "serverVulnerabilityAssessmentEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: A vulnerability assessment solution should be enabled on your virtual machines",
          "description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRestrictCORSAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: CORS should not allow every resource to access your Web Application",
          "description": "Enable or disable the monitoring of CORS restrictions for Web Application"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: External accounts with write permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Deprecated accounts should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Function App should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS in Function App v2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vulnerabilityAssessmentMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
          "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "logProfilesForActivityLogEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Azure subscriptions should have a log profile for Activity Log",
          "description": "Enable or disable the monitoring of a log profile for Activity Log in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "listOfResourceTypes": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: List of resource types that should have diagnostic logs enabled",
          "strongType": "resourceTypes"
        }
      },
      "systemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: System updates should be installed on your machines",
          "description": "Enable or disable the monitoring of system updates reporting"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Latest TLS version should be used for App Service",
          "description": "Enable or disable the monitoring of the latest TLS version in App Service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForWritePermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: MFA should be enabled accounts with write permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "anitmalwareRequiredForWindowsServersEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft IaaSAntimalware extension should be deployed on Windows servers",
          "description": "Enable or disable the monitoring of Windows server VMs without Microsoft IaaSAntimalware extension deployed"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Web Application should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS in Web App v2"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vnetEnableDDoSProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: DDoS Protection Standard should be enabled",
          "description": "Enable or disable the monitoring of DDoS protection for all virtual networks with a subnet that is part of an application gateway with a public IP."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: MFA should be enabled on accounts with owner permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlServerAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Advanced data security should be enabled on your SQL servers",
          "description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Advanced data security should be enabled on SQL Managed Instance",
          "description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "endpointProtectionMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Monitor missing endpoint protection in Azure Security Center",
          "description": "Enable or disable the monitoring of endpoint protection"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "jitNetworkAccessMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Just-in-time network access control should be applied on virtual machines",
          "description": "Enable or disable the monitoring of network just-in-time access"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "minimumTLSVersion": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Minimum TLS version",
          "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
        },
        "allowedValues": [
          "1.2"
        ],
        "defaultValue": "1.2"
      },
      "aadAuthenticationInServiceFabricMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Service Fabric clusters should only use Azure Active Directory for client authentication",
          "description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "apiAppEnforceHttpsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: App Service should only be accessible over HTTPS v2",
          "description": "Enable or disable the monitoring of the use of HTTPS v2 in App Service"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "vmssSystemUpdatesMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: System updates on virtual machine scale sets should be installed",
          "description": "Enable or disable the monitoring of virtual machine scale sets system updates reporting"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Remote debugging should be turned off for Web Application",
          "description": "Enable or disable the monitoring of remote debugging for Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "systemConfigurationsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerabilities in security configuration on your machines should be remediated",
          "description": "Enable or disable the monitoring of OS vulnerabilities (based on a configured baseline)"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityEnableMFAForReadPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: MFA should be enabled on accounts with read permissions on your subscription",
          "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "enforcePasswordHistory": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "maximumPasswordAge": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "minimumPasswordAge": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "minimumPasswordLength": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "10"
      },
      "passwordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "allowedValues": [
          "0",
          "1"
        ],
        "defaultValue": "1"
      },
      "containerBenchmarkMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerabilities in container security configurations should be remediated",
          "description": "Enable or disable the monitoring of container benchmark"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "apiAppDisableRemoteDebuggingMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Remote debugging should be turned off for App Service",
          "description": "Enable or disable the monitoring of remote debugging for App Service"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Deprecated accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "vulnerabilityAssessmentOnServerMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerability assessment should be enabled on your SQL servers",
          "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "webAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Latest TLS version should be used in your Web App",
          "description": "Enable or disable the monitoring of the latest TLS version in Web App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Internet-facing virtual machines should be protected with Network Security Groups",
          "description": "Enable or disable the monitoring of NSGs on VMs"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: External accounts with owner permissions should be removed from your subscription",
          "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "functionAppRequireLatestTlsMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Latest TLS version should be used in your Function App",
          "description": "Enable or disable the monitoring of the latest TLS version in Function App"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "sqlDbVulnerabilityAssesmentMonitoringEffect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Vulnerabilities on your SQL databases should be remediated",
          "description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "auditVirtualMachinesWithoutDisasterRecoveryConfigured",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
        "parameters": {
          
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentEmailSettingForReceivingScanReports",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
        "parameters": {
          "effect": {
          "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
        "parameters": {
          "effect": {
          "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diskEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
        "parameters": {
          "effect": {
          "value": "[parameters('diskEncryptionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AdministratorsGroupMembersToExclude",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "membersToExclude": {
          "value": "[parameters('membersToExclude')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
        "parameters": {
          "effect": {
          "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
        "parameters": {
          "effect": {
          "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50",
        "parameters": {
          "listOfImageIdToInclude_windows": {
          "value": "[parameters('listOfImageIdToIncludeWindows')]"
          },
          "listOfImageIdToInclude_linux": {
          "value": "[parameters('listOfImageIdToIncludeLinux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditUnrestrictedNetworkToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
        "parameters": {
          "effect": {
          "value": "[parameters('auditUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
        "parameters": {
          "effect": {
          "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
        "parameters": {
          "effect": {
          "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
        "parameters": {
          "effect": {
          "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
        "parameters": {
          "effect": {
          "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logAnalyticsOSImageVMSSAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138",
        "parameters": {
          "listOfImageIdToInclude_windows": {
          "value": "[parameters('listOfImageIdToIncludeWindows')]"
          },
          "listOfImageIdToInclude_linux": {
          "value": "[parameters('listOfImageIdToIncludeLinux')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "logProfilesForActivityLog",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7",
        "parameters": {
          "effect": {
          "value": "[parameters('logProfilesForActivityLogEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditDiagnosticSetting",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
        "parameters": {
          "listOfResourceTypes": {
          "value": "[parameters('listOfResourceTypes')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "systemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
        "parameters": {
          "effect": {
          "value": "[parameters('systemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "anitmalwareRequiredForWindowsServers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257",
        "parameters": {
          "effect": {
          "value": "[parameters('anitmalwareRequiredForWindowsServersEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
        "parameters": {
          "effect": {
          "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "endpointProtectionMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
        "parameters": {
          "effect": {
          "value": "[parameters('endpointProtectionMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
        "parameters": {
          "effect": {
          "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "auditWindowsTLS",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "minimumTLSVersion": {
          "value": "[parameters('minimumTLSVersion')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
        "parameters": {
          "effect": {
          "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
        "parameters": {
          "effect": {
          "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
        "parameters": {
          "effect": {
          "value": "[parameters('systemConfigurationsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
        "parameters": {
          "effect": {
          "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6"
      },
      {
        "policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
        "parameters": {
          
        }
      },
      {
        "policyDefinitionReferenceId": "AzureBaselineSecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "enforcePasswordHistory": {
          "value": "[parameters('enforcePasswordHistory')]"
          },
          "maximumPasswordAge": {
          "value": "[parameters('maximumPasswordAge')]"
          },
          "minimumPasswordAge": {
          "value": "[parameters('minimumPasswordAge')]"
          },
          "minimumPasswordLength": {
          "value": "[parameters('minimumPasswordLength')]"
          },
          "passwordMustMeetComplexityRequirements": {
          "value": "[parameters('passwordMustMeetComplexityRequirements')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
        "parameters": {
          "effect": {
          "value": "[parameters('containerBenchmarkMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
        "parameters": {
          "effect": {
          "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
        "parameters": {
          "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "webAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
        "parameters": {
          "effect": {
          "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "previewAuditLogAnalyticsWorkspaceForVmReportMismatch",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917",
        "parameters": {
          "logAnalyticsWorkspaceId": {
          "value": "[parameters('logAnalyticsWorkspaceId')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
        "parameters": {
          "effect": {
          "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
        "parameters": {
          "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "functionAppRequireLatestTlsMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
        "parameters": {
          "effect": {
          "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
        "parameters": {
          "effect": {
          "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "27272c0b-c225-4cc3-b8b0-f2534b093077"
}