[Preview]: SWIFT CSP-CSCF v2020

Azure BuiltIn Policy Initiative (PolicySet)

Policy types

Policy states

Policy categories

Total Policies: 48
Builtin Policies: 48
Static Policies: 0

GA: 48

12 categories:

App Service: 4
Automation: 1
Cache: 1
Compute: 2
General: 1
Guest Configuration: 17
Monitoring: 2
Security Center: 11
Service Fabric: 1
SQL: 4
Storage: 3
Stream Analytics: 1

Rows: 1-10 / 48

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 5

Policy DisplayName

Policy Id

Category

Version

Versioning

Effect

Roles#

Roles

State

policy in AzUSGov

A maximum of 3 owners should be designated for your subscription

4f11b553-d42e-4e3a-89be-32ca364cad4c

Security Center

3.0.0

1x
3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

3cf2ab00-13f1-4d0c-8971-2ac904541a7e

Guest Configuration

4.1.0

2x
4.1.0, 4.0.0

Fixed
modify

Contributor

true

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

497dff13-db2a-4c0f-8603-28fa3b331ab6

Guest Configuration

4.1.0

2x
4.1.0, 4.0.0

Fixed
modify

Contributor

true

All network ports should be restricted on network security groups associated to your virtual machine

9daedab3-fb2d-461e-b861-71790eead4f6

Security Center

3.0.0

1x
3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

An Azure Active Directory administrator should be provisioned for SQL servers

1f314764-cb73-4fc9-b863-8eca98ac36e9

SQL

1.0.0

1x
1.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

App Service apps should have remote debugging turned off

cb510bfd-1cba-4d9f-a230-cb0976f4bb71

App Service

2.0.0

1x
2.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

App Service apps should only be accessible over HTTPS

a4af4a39-4135-47fb-b175-47fbdf85311d

App Service

4.0.0

1x
4.0.0

Default
Audit
Allowed
Audit, Disabled, Deny

true

Audit diagnostic setting for selected resource types

7f89b1eb-583c-429a-8828-af049802c1d9

Monitoring

2.0.1

1x
2.0.1

Fixed
AuditIfNotExists

true

Audit Linux machines that allow remote connections from accounts without passwords

ea53dbee-c6c9-4f0e-9f9e-de0039b78023

Guest Configuration

3.1.0

2x
3.1.0, 3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

Audit Linux machines that do not have the passwd file permissions set to 0644

e6955644-301c-44b5-a4c4-528577de6861

Guest Configuration

3.1.0

2x
3.1.0, 3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

Role

Role Id

#Policies

Policies

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Date/Time (UTC ymd) (i)

Changes

2025-03-12 18:29:00

Version change: '6.5.0-preview' to '6.6.0-preview'
remove Policy [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)

2025-01-28 19:35:17

Version change: '6.4.0-preview' to '6.5.0-preview'
remove Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
remove Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
remove Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)

2024-10-15 17:53:51

Version change: '6.3.0-preview' to '6.4.0-preview'
remove Policy [Deprecated]: System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe)
remove Policy [Deprecated]: System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)

2024-09-05 17:48:45

Version change: '6.2.0-preview' to '6.3.0-preview'
remove Policy [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6)
remove Policy [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
remove Policy [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)

2024-08-29 17:47:54

Version change: '6.1.0-preview' to '6.2.0-preview'
remove Policy [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de)
remove Policy [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)

2023-05-04 17:45:12

2022-07-07 16:32:14

Version change: '5.0.0-preview' to '6.0.0-preview'
remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)

2022-06-10 16:31:22

Version change: '3.1.1-preview' to '5.0.0-preview'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)

2022-04-07 17:18:35

Version change: '3.1.0-preview' to '3.1.1-preview'

2022-04-01 20:29:13

Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init.'

2020-09-09 11:24:08

2020-07-01 14:50:07

remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)

2020-06-16 14:55:25

Name change: '[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: SWIFT CSP-CSCF v2020'
Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/SWIFT-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift-blueprint.'

{

displayName: "[Preview]: SWIFT CSP-CSCF v2020",
policyType: "BuiltIn",
description: "This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init.",
metadata: {3 items
- version: "6.6.0-preview",
- category: "Regulatory Compliance",
- preview: true
},
version: "6.6.0-preview",
parameters: {7 items
- IncludeArcMachines: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Include Arc connected servers for Guest Configuration policies",
    - description: "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
    },
  - allowedValues: [2 items
    - "true",
    - "false"
    ],
  - defaultValue: "false"
  },
- listOfResourceTypesWithDiagnosticLogsEnabled: {4 items
  - type: "Array",
  - metadata: {1 item
    - displayName: "List of resource types that should have resource logs enabled"
    },
  - allowedValues: [46 items
    - "Microsoft.AnalysisServices/servers",
    - "Microsoft.ApiManagement/service",
    - "Microsoft.Network/applicationGateways",
    - "Microsoft.Automation/automationAccounts",
    - "Microsoft.ContainerInstance/containerGroups",
    - "Microsoft.ContainerRegistry/registries",
    - "Microsoft.ContainerService/managedClusters",
    - "Microsoft.Batch/batchAccounts",
    - "Microsoft.Cdn/profiles/endpoints",
    - "Microsoft.CognitiveServices/accounts",
    - "Microsoft.DocumentDB/databaseAccounts",
    - "Microsoft.DataFactory/factories",
    - "Microsoft.DataLakeAnalytics/accounts",
    - "Microsoft.DataLakeStore/accounts",
    - "Microsoft.EventGrid/eventSubscriptions",
    - "Microsoft.EventGrid/topics",
    - "Microsoft.EventHub/namespaces",
    - "Microsoft.Network/expressRouteCircuits",
    - "Microsoft.Network/azureFirewalls",
    - "Microsoft.HDInsight/clusters",
    - "Microsoft.Devices/IotHubs",
    - "Microsoft.KeyVault/vaults",
    - "Microsoft.Network/loadBalancers",
    - "Microsoft.Logic/integrationAccounts",
    - "Microsoft.Logic/workflows",
    - "Microsoft.DBforMySQL/servers",
    - "Microsoft.Network/networkInterfaces",
    - "Microsoft.Network/networkSecurityGroups",
    - "Microsoft.DBforPostgreSQL/servers",
    - "Microsoft.PowerBIDedicated/capacities",
    - "Microsoft.Network/publicIPAddresses",
    - "Microsoft.RecoveryServices/vaults",
    - "Microsoft.Cache/redis",
    - "Microsoft.Relay/namespaces",
    - "Microsoft.Search/searchServices",
    - "Microsoft.ServiceBus/namespaces",
    - "Microsoft.SignalRService/SignalR",
    - "Microsoft.Sql/servers/databases",
    - "Microsoft.Sql/servers/elasticPools",
    - "Microsoft.StreamAnalytics/streamingjobs",
    - "Microsoft.TimeSeriesInsights/environments",
    - "Microsoft.Network/trafficManagerProfiles",
    - "Microsoft.Compute/virtualMachines",
    - "Microsoft.Compute/virtualMachineScaleSets",
    - "Microsoft.Network/virtualNetworks",
    - "Microsoft.Network/virtualNetworkGateways"
    ],
  - defaultValue: [46 items
    - "Microsoft.AnalysisServices/servers",
    - "Microsoft.ApiManagement/service",
    - "Microsoft.Network/applicationGateways",
    - "Microsoft.Automation/automationAccounts",
    - "Microsoft.ContainerInstance/containerGroups",
    - "Microsoft.ContainerRegistry/registries",
    - "Microsoft.ContainerService/managedClusters",
    - "Microsoft.Batch/batchAccounts",
    - "Microsoft.Cdn/profiles/endpoints",
    - "Microsoft.CognitiveServices/accounts",
    - "Microsoft.DocumentDB/databaseAccounts",
    - "Microsoft.DataFactory/factories",
    - "Microsoft.DataLakeAnalytics/accounts",
    - "Microsoft.DataLakeStore/accounts",
    - "Microsoft.EventGrid/eventSubscriptions",
    - "Microsoft.EventGrid/topics",
    - "Microsoft.EventHub/namespaces",
    - "Microsoft.Network/expressRouteCircuits",
    - "Microsoft.Network/azureFirewalls",
    - "Microsoft.HDInsight/clusters",
    - "Microsoft.Devices/IotHubs",
    - "Microsoft.KeyVault/vaults",
    - "Microsoft.Network/loadBalancers",
    - "Microsoft.Logic/integrationAccounts",
    - "Microsoft.Logic/workflows",
    - "Microsoft.DBforMySQL/servers",
    - "Microsoft.Network/networkInterfaces",
    - "Microsoft.Network/networkSecurityGroups",
    - "Microsoft.DBforPostgreSQL/servers",
    - "Microsoft.PowerBIDedicated/capacities",
    - "Microsoft.Network/publicIPAddresses",
    - "Microsoft.RecoveryServices/vaults",
    - "Microsoft.Cache/redis",
    - "Microsoft.Relay/namespaces",
    - "Microsoft.Search/searchServices",
    - "Microsoft.ServiceBus/namespaces",
    - "Microsoft.SignalRService/SignalR",
    - "Microsoft.Sql/servers/databases",
    - "Microsoft.Sql/servers/elasticPools",
    - "Microsoft.StreamAnalytics/streamingjobs",
    - "Microsoft.TimeSeriesInsights/environments",
    - "Microsoft.Network/trafficManagerProfiles",
    - "Microsoft.Compute/virtualMachines",
    - "Microsoft.Compute/virtualMachineScaleSets",
    - "Microsoft.Network/virtualNetworks",
    - "Microsoft.Network/virtualNetworkGateways"
    ]
  },
- logsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9: {4 items
  - type: "Boolean",
  - metadata: {1 item
    - displayName: "Include logs when auditing diagnostic logging settings."
    },
  - allowedValues: [2 items
    - true,
    - false
    ],
  - defaultValue: true
  },
- metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9: {4 items
  - type: "Boolean",
  - metadata: {1 item
    - displayName: "Include metrics when auditing diagnostic logging settings."
    },
  - allowedValues: [2 items
    - true,
    - false
    ],
  - defaultValue: true
  },
- workspaceIDsLogAnalyticsAgentShouldConnectTo: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Connected workspace IDs",
    - description: "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
    }
  },
- listOfMembersToIncludeInWindowsVMAdministratorsGroup: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Members to include",
    - description: "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
    }
  },
- domainNameFQDN: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Domain Name (FQDN)",
    - description: "The fully qualified domain name (FQDN) that the Windows VMs should be joined to"
    }
  }
},
policyDefinitions: [48 items
- {4 items
  - policyDefinitionReferenceId: "DeprecatedAccountsShouldBeRemovedFromYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be Blocked accounts with read and write permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 Blocked accounts with owner permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "ExternalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046 Guest accounts with owner permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "ExternalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 Guest accounts with read permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "ExternalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 Guest accounts with write permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "FunctionAppShouldOnlyBeAccessibleOverHttps",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "WebApplicationShouldOnlyBeAccessibleOverHttps",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS ,
  - definitionVersion: 4.*.*4.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AMaximumOf3OwnersShouldBeDesignatedForYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c A maximum of 3 owners should be designated for your subscription ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "ThereShouldBeMoreThanOneOwnerAssignedToYourSubscription",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b There should be more than one owner assigned to your subscription ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "RemoteDebuggingShouldBeTurnedOffForFunctionApp",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9 Function apps should have remote debugging turned off ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "RemoteDebuggingShouldBeTurnedOffForWebApplication",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service apps should have remote debugging turned off ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "DDoSProtectionStandardShouldBeEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection should be enabled ,
  - definitionVersion: 3.*.*3.0.1,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "Prerequisite_AddSystemIdentityWhenNone",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "Prerequisite_AddSystemIdentityWhenUser",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "Prerequisite_DeployExtensionWindows",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs ,
  - definitionVersion: 1.*.*1.3.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "Prerequisite_DeployExtensionLinux",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs ,
  - definitionVersion: 3.*.*3.2.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditLinuxVMsThatAllowRemoteConnectionsFromAccountsWithoutPasswords",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords ,
  - definitionVersion: 3.*.*3.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditLinuxVMsThatHaveAccountsWithoutPasswords",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords ,
  - definitionVersion: 3.*.*3.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditLinuxVMsThatDoNotHaveThePasswdFilePermissionsSetTo0644",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 ,
  - definitionVersion: 3.*.*3.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatAllowReUseOfThePrevious24Passwords",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatDoNotHaveAMaximumPasswordAgeOf70Days",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have the maximum password age set to specified number of days ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatDoNotHaveAMinimumPasswordAgeOf1Day",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have the minimum password age set to specified number of days ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatDoNotHaveThePasswordComplexitySettingEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to specified number of characters ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsThatDoNotStorePasswordsUsingReversibleEncryption",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "JustInTimeNetworkAccessControlShouldBeAppliedOnVirtualMachines",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c Management ports of virtual machines should be protected with just-in-time network access control ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "VulnerabilitiesOnYourSqlDatabasesShouldBeRemediated",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc SQL databases should have vulnerability findings resolved ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AccessThroughInternetFacingEndpointShouldBeRestricted",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6 All network ports should be restricted on network security groups associated to your virtual machine ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "OnlySecureConnectionsToYourRedisCacheShouldBeEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AnAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 An Azure Active Directory administrator should be provisioned for SQL servers ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "SecureTransferToStorageAccountsShouldBeEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9 Secure transfer to storage accounts should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AdvancedDataSecurityShouldBeEnabledOnYourSqlServers",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 Azure Defender for SQL should be enabled for unprotected Azure SQL servers ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AuditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols ,
  - definitionVersion: 4.*.*4.1.1,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "TransparentDataEncryptionOnSqlDatabasesShouldBeEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12 Transparent Data Encryption on SQL databases should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AuditUnrestrictedNetworkAccessToStorageAccounts",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access ,
  - definitionVersion: 1.*.*1.1.1,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "ServiceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric clusters should only use Azure Active Directory for client authentication ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AuditUsageOfCustomRbacRules",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AuditVMsThatDoNotUseManagedDisks",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "VirtualMachineShouldBeMigratedToNewAzureResourceManagerResources",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AutomationAccountVariablesShouldBeEncrypted",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "StorageAccountsShouldBeMigratedToNewAzureResourceManagerResources",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage accounts should be migrated to new Azure Resource Manager resources ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "DiagnosticLogsInAzureStreamAnalyticsShouldBeEnabled",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46 Resource logs in Azure Stream Analytics should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditWindowsVMsOnWhichTheLogAnalyticsAgentIsNotConnectedAsExpected",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - WorkspaceId: {1 item
      - value: "[parameters('workspaceIDsLogAnalyticsAgentShouldConnectTo')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "PreviewAuditDependencyAgentDeploymentInVmssVmImageOsUnlisted",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AuditSqlServerLevelAuditingSettings",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Auditing on SQL server should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {}
  },
- {4 items
  - policyDefinitionReferenceId: "AdministratorsGroupDoesNotContainAllOfTheSpecifiedMembers",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - MembersToInclude: {1 item
      - value: "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "AuditWindowsVMsThatAreNotJoinedToTheSpecifiedDomain",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - DomainName: {1 item
      - value: "[parameters('domainNameFQDN')]"
      }
    }
  },
- {4 items
  - policyDefinitionReferenceId: "AuditDiagnosticSetting",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {3 items
    - listOfResourceTypes: {1 item
      - value: "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
      },
    - logsEnabled: {1 item
      - value: "[parameters('logsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9')]"
      },
    - metricsEnabled: {1 item
      - value: "[parameters('metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9')]"
      }
    }
  }
],
versions: [6 items
- "6.6.0-preview",
- "6.5.0-preview",
- "6.4.0-preview",
- "6.3.0-preview",
- "6.2.0-preview",
- "6.1.0-preview"
]

}