AzInitiativeAdvertizer

last sync: 2022-Jan-20 18:36:46 UTC

Azure Policy Initiative

[Deprecated]: Azure Security Benchmark v1

Name

[Deprecated]: Azure Security Benchmark v1
Azure Portal

42a694ed-f65e-42b2-aa9e-8052e9740a92

Version

11.0.0-deprecated
details on versioning

Category

Regulatory Compliance
Microsoft docs

Description

This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.

Type

BuiltIn

Deprecated

True

Preview

False

History

Date/Time (UTC ymd) (i)	Changes
2022-01-13 19:18:29	add Policy Resource logs in App Services should be enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510) remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)
2021-12-08 16:24:23	add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2) add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8) remove Policy [Preview]: Sensitive data in your SQL databases should be classified (cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349) remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd) remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
2021-06-22 14:29:04	remove Policy [Deprecated]: Service Bus should use a virtual network service endpoint (235359c5-7c52-4b82-9055-01c75cf9f60e)
2021-02-09 14:46:37	Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark v1 recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.' to 'This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.'
2021-01-22 09:14:56	Name change: '[Preview]: Azure Security Benchmark v1' to '[Deprecated]: Azure Security Benchmark v1' remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c) remove Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
2021-01-13 16:08:35	Name change: '[Preview]: Azure Security Benchmark' to '[Preview]: Azure Security Benchmark v1' Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark v1 recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.'
2020-09-15 14:06:41	remove Policy [Deprecated]: Pod Security Policies should be defined on Kubernetes Services (3abeb944-26af-43ee-b83d-32aaf060fb94)
2020-09-09 11:24:08	add Policy Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) add Policy Audit Windows machines on which the Log Analytics agent is not connected as expected (6265018c-d7e2-432f-a75d-094d5f6f4465) add Policy Audit Windows machines that have extra accounts in the Administrators group (3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected (68511db2-bd02-41c4-ae6b-1900a012968a) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members (b821191b-3a12-44bc-9c38-212138a29ff3) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members (cc7cda28-f867-4311-8497-a526129a8d19) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members (93507a81-10a4-4af0-9ee2-34cf25a96e98) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members (f3b44e5d-1456-475f-9c67-c66c4618e85a) remove Policy [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected (a030a57e-4639-4e8f-ade9-a92f33afe7ee)
2020-09-02 14:03:46	remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461) remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App (f0473e7a-a1ba-4e86-afb2-e829e11b01d8) remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0) remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App (aa81768c-cb87-4ce2-bfaa-00baa10d760c) remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app (86d97760-d216-4d81-a3ad-163087b2b6c3) remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4) remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6)
2020-08-21 13:50:30	add Policy Windows machines should meet requirements for 'Security Options - Microsoft Network Server' (caf2d518-f029-4f6b-833b-d7081702f253) add Policy Windows machines should meet requirements for 'Administrative Templates - Network' (67e010c1-640d-438e-a3a5-feaccb533a98) add Policy Windows machines should meet requirements for 'Security Options - Network Access' (3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e) add Policy Windows machines should meet requirements for 'Security Options - Network Security' (1221c620-d201-468c-81e7-2817e6107e84) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6) add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6) remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' (7229bd6a-693d-478a-87f0-1dc1af06f3b8) remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' (6fe4ef56-7576-4dc4-8e9c-26bad4b087ce) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' (f56a3ab2-89d1-44de-ac0d-2ada5962e22a) remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' (fcbc55c9-f25a-4e55-a6cb-33acb3be778b) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' (86880e5c-df35-43c5-95ad-7e120635775e) remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' (5c028d2a-1889-45f6-b821-31f42711ced8) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' (36e17963-7202-494a-80c3-f508211c826b) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' (985285b7-b97a-419c-8d48-c88cc934c8d8)
2020-07-01 14:50:07	remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff) remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278) remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc) remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8) remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966) remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
2020-06-16 14:55:25	Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/azsecbm.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.' Name change: '[Preview]: Audit Azure Security Benchmark recommendations and deploy specific supporting VM Extensions' to '[Preview]: Azure Security Benchmark'
2020-06-11 19:46:04	add Policy FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5) add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b) add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49) add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c) add Policy SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5) add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990) add Policy SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743) add Policy FTPS should be required in your Web App (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) add Policy FTPS only should be required in your Function App (399b2637-a50f-4f95-96f8-3a145476eb15) remove Policy Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports (057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) remove Policy Security Center standard pricing tier should be selected (a1181c5f-672a-477a-979a-7d58aa086233)
2020-03-03 10:09:24	add Policy Ensure that 'Python version' is the latest, if used as a part of the API app (74c3584d-afae-46f7-a20a-6f8adba71a16) add Policy Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39) add Policy Ensure that 'PHP version' is the latest, if used as a part of the WEB app (7261b898-8a84-4db8-9e04-18527132abb3) add Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c) add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0) add Policy Ensure that 'Python version' is the latest, if used as a part of the Web app (7008174a-fd10-4ef0-817e-fc820a951d73) add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461) add Policy Ensure that 'Java version' is the latest, if used as a part of the Function app (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) add Policy Ensure that 'Python version' is the latest, if used as a part of the Function app (7238174a-fd10-4ef0-817e-fc820a951d73) add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4) add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6) add Policy Ensure that 'Java version' is the latest, if used as a part of the Web app (496223c3-ad65-4ecd-878a-bae78737e9ed) add Policy Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) remove Policy Microsoft IaaSAntimalware extension should be deployed on Windows servers (9b597639-28e4-48eb-b506-56b05d366257) remove Policy Azure Monitor solution 'Security and Audit' must be deployed (3e596b57-105f-48a6-be97-03e9243bad6e)
2020-02-05 07:51:53	add Initiative 42a694ed-f65e-42b2-aa9e-8052e9740a92

Policy count

Total Policies: 132
Builtin Policies: 132
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	State
[Deprecated]: Unattached disks should be encrypted	2c89a2e5-7285-40fe-afe0-ae8654b92fb2	Compute	Default: Audit Allowed: (Audit, Disabled)	Deprecated
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	fc5e4038-4584-4632-8c85-c0448d374b2c	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	Preview
[Preview]: Container Registry should use a virtual network service endpoint	c4857be7-912a-4c75-87e6-e30292bcdf78	Network	Default: Audit Allowed: (Audit, Disabled)	Preview
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines	08e6af2d-db70-460a-bfe9-d5bd474ba9d6	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed: modify	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed: modify	GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
API App should only be accessible over HTTPS	b7ddfbdc-1260-477d-91fd-98bd9be789a6	App Service	Default: Audit Allowed: (Audit, Disabled)	GA
App Service should use a virtual network service endpoint	2d21331d-a4c2-4def-a9ad-ee4e1e023beb	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Audit diagnostic setting	7f89b1eb-583c-429a-8828-af049802c1d9	Monitoring	Fixed: AuditIfNotExists	GA
Audit usage of custom RBAC rules	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	Default: Audit Allowed: (Audit, Disabled)	GA
Audit Windows machines missing any of specified members in the Administrators group	30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7	Guest Configuration	Fixed: auditIfNotExists	GA
Audit Windows machines on which the Log Analytics agent is not connected as expected	6265018c-d7e2-432f-a75d-094d5f6f4465	Guest Configuration	Fixed: auditIfNotExists	GA
Audit Windows machines that have extra accounts in the Administrators group	3d2a3320-2a72-4c67-ac5f-caa40fbee2b2	Guest Configuration	Fixed: auditIfNotExists	GA
Audit Windows machines that have the specified members in the Administrators group	69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f	Guest Configuration	Fixed: auditIfNotExists	GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Authorized IP ranges should be defined on Kubernetes Services	0e246bcf-5f6f-4f87-bc6f-775d4712c7ea	Security Center	Default: Audit Allowed: (Audit, Disabled)	GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription	475aae12-b88a-4572-8b36-9b712b2b3a17	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Azure Backup should be enabled for Virtual Machines	013e242c-8828-4970-87b3-ab247555486d	Backup	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Azure DDoS Protection Standard should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1a4e592a-6a6e-44a5-9814-e36264ca96e7	Monitoring	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Azure Monitor should collect activity logs from all regions	41388f1c-2db0-4c25-95b2-35d7f5ccbfa9	Monitoring	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
CORS should not allow every resource to access your API App	358c20a6-3f9e-4f0e-97ff-c6ce485e2aac	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
CORS should not allow every resource to access your Function Apps	0820b7b9-23aa-4725-a1ce-ae4558f718e5	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
CORS should not allow every resource to access your Web Applications	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Cosmos DB should use a virtual network service endpoint	e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9	Network	Default: Audit Allowed: (Audit, Disabled)	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed: deployIfNotExists	GA
Deprecated accounts should be removed from your subscription	6b1cbf55-e8b6-442f-ba4c-7246b6381474	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Deprecated accounts with owner permissions should be removed from your subscription	ebb62a0c-3560-49e1-89ed-27e074e9f8ad	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Endpoint protection solution should be installed on virtual machine scale sets	26a828e1-e88f-464e-bbb3-c134a282b9de	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Enforce SSL connection should be enabled for MySQL database servers	e802a67a-daf5-4436-9ea6-f6d821dd0c5d	SQL	Default: Audit Allowed: (Audit, Disabled)	GA
Enforce SSL connection should be enabled for PostgreSQL database servers	d158790f-bfb0-486c-8631-2dc6b4e8e6af	SQL	Default: Audit Allowed: (Audit, Disabled)	GA
Ensure that 'Java version' is the latest, if used as a part of the API app	88999f4c-376a-45c8-bcb3-4058f713cf39	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'Java version' is the latest, if used as a part of the Function app	9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'Java version' is the latest, if used as a part of the Web app	496223c3-ad65-4ecd-878a-bae78737e9ed	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'PHP version' is the latest, if used as a part of the API app	1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'PHP version' is the latest, if used as a part of the WEB app	7261b898-8a84-4db8-9e04-18527132abb3	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'Python version' is the latest, if used as a part of the API app	74c3584d-afae-46f7-a20a-6f8adba71a16	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'Python version' is the latest, if used as a part of the Function app	7238174a-fd10-4ef0-817e-fc820a951d73	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure that 'Python version' is the latest, if used as a part of the Web app	7008174a-fd10-4ef0-817e-fc820a951d73	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'	5bb220d9-2698-4ee4-8404-b9c30c9df609	App Service	Default: Audit Allowed: (Audit, Disabled)	GA
Event Hub should use a virtual network service endpoint	d63edb4a-c612-454d-b47d-191a724fcbf0	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
External accounts with owner permissions should be removed from your subscription	f8456c1c-aa66-4dfb-861a-25d127b775c9	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
External accounts with read permissions should be removed from your subscription	5f76cf89-fbf2-47fd-a3f4-b891fa780b60	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
External accounts with write permissions should be removed from your subscription	5c607a2e-c700-4744-8254-d77e7c9eb5e4	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
FTPS only should be required in your API App	9a1b8c48-453a-4044-86c3-d8bfd823e4f5	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
FTPS only should be required in your Function App	399b2637-a50f-4f95-96f8-3a145476eb15	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
FTPS should be required in your Web App	4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Function App should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default: Audit Allowed: (Audit, Disabled)	GA
Geo-redundant backup should be enabled for Azure Database for MariaDB	0ec47710-77ff-4a3d-9181-6aa50af424d0	SQL	Default: Audit Allowed: (Audit, Disabled)	GA
Geo-redundant backup should be enabled for Azure Database for MySQL	82339799-d096-41ae-8538-b108becf0970	SQL	Default: Audit Allowed: (Audit, Disabled)	GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	48af4db5-9b8b-401c-8e74-076be876a430	SQL	Default: Audit Allowed: (Audit, Disabled)	GA
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
IP Forwarding on your virtual machine should be disabled	bd352bd5-2853-4985-bf0d-73806b4a5744	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Key Vault should use a virtual network service endpoint	ea4d6841-2173-4317-9747-ff522a45120f	Network	Default: Audit Allowed: (Audit, Disabled)	GA
Key vaults should have purge protection enabled	0b60c0b2-2dc2-4e1c-b5c9-abbed971de53	Key Vault	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version	fb893a29-21bb-418c-a157-e99480ec364c	Security Center	Default: Audit Allowed: (Audit, Disabled)	GA
Latest TLS version should be used in your API App	8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Latest TLS version should be used in your Function App	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Latest TLS version should be used in your Web App	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Long-term geo-redundant backup should be enabled for Azure SQL Databases	d38fc420-0735-4ef3-ac11-c806f651a570	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Managed identity should be used in your API App	c4d441f8-f9d9-4a9e-9cef-e82117cb3eef	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Managed identity should be used in your Function App	0da106f2-4ca3-48e8-bc85-c638fe6aea8f	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Managed identity should be used in your Web App	2b9ad585-36bc-4615-b300-fd4435808332	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Management ports should be closed on your virtual machines	22730e10-96f6-4aac-ad84-9383d35b5917	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
MFA should be enabled accounts with write permissions on your subscription	9297c21d-2ed6-4474-b48f-163f75654ce3	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
MFA should be enabled on accounts with owner permissions on your subscription	aa633080-8b72-40c4-a2d7-d00c03e80bed	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
MFA should be enabled on accounts with read permissions on your subscription	e3576e28-8b17-4677-84c3-db2990658d64	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures	c43e4a30-77cb-48ab-a4dd-93f175c63b57	Compute	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Network Watcher should be enabled	b6e2945c-0b7b-40f5-9233-7a5323b5cdc6	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Private endpoint should be enabled for MariaDB servers	0a1302fb-a631-4106-9753-f3d494733990	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Private endpoint should be enabled for MySQL servers	7595c971-233d-4bcf-bd18-596129188c49	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Private endpoint should be enabled for PostgreSQL servers	0564d078-92f5-4f97-8398-b9f58a51f70b	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Remote debugging should be turned off for API Apps	e9c8d085-d9cc-4b17-9cdc-059f1f01f19e	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Remote debugging should be turned off for Function Apps	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Remote debugging should be turned off for Web Applications	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in App Services should be enabled	91a78b24-f231-4a8a-8da9-02c35b2b6510	App Service	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Azure Data Lake Store should be enabled	057ef27e-665e-4328-8ea3-04b3122bd9fb	Data Lake	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Batch accounts should be enabled	428256e6-1fac-4f48-a757-df34c2b3336d	Batch	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Data Lake Analytics should be enabled	c95c74d9-38fe-4f0d-af86-0c7d626a315c	Data Lake	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Event Hub should be enabled	83a214f7-d01a-484b-91a9-ed54470c9a6a	Event Hub	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in IoT Hub should be enabled	383856f8-de7f-44a2-81fc-e5135b5c2aa4	Internet of Things	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Key Vault should be enabled	cf820ca0-f99e-4f3e-84fb-66e913812d21	Key Vault	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Logic Apps should be enabled	34f95f76-5386-4de7-b824-0d8478470c9d	Logic Apps	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Search services should be enabled	b4330a05-a843-4bc8-bf9a-cacce50c67f4	Search	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Service Bus should be enabled	f8d36e2f-389b-4ee4-898d-21aeb69a0f45	Service Bus	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Resource logs in Virtual Machine Scale Sets should be enabled	7c1b1214-f927-48bf-8882-84f0af6588b1	Compute	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Role-Based Access Control (RBAC) should be used on Kubernetes Services	ac4a19c2-fa67-49b4-8ae5-0b2e78c49457	Security Center	Default: Audit Allowed: (Audit, Disabled)	GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
SQL Auditing settings should have Action-Groups configured to capture critical activities	7ff426e2-515f-405a-91c8-4f2333442eb5	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
SQL Server should use a virtual network service endpoint	ae5d2f14-d830-42b6-9899-df6cfe9c71a3	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher	89099bee-89e0-4b26-a5f4-165451757743	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Storage Accounts should use a virtual network service endpoint	60d21c4f-21a3-4d94-85f4-b924e6aeeda4	Network	Default: Audit Allowed: (Audit, Disabled)	GA
Subnets should be associated with a Network Security Group	e71308d3-144b-4262-b144-efdc3cc90517	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Subscriptions should have a contact email address for security issues	4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
System updates on virtual machine scale sets should be installed	c3f317a7-a95c-4547-b7e7-11017ebdf2fe	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets	efbde977-ba53-4479-b8e9-10b957924fbf	Monitoring	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Virtual machines should be connected to an approved virtual network	d416745a-506c-48b6-8ab1-83cb814bcaa3	Network	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	Default: Audit Allowed: (Audit, Deny, Disabled)	GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	0961003e-5a0a-4549-abde-af6a37f2724d	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Virtual machines should have the Log Analytics extension installed	a70ca396-0a34-413a-88e1-b956c1e683be	Monitoring	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Virtual networks should use specified virtual network gateway	f1776c76-f58c-4245-a8d0-2b207198dc8b	Network	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Vulnerabilities in container security configurations should be remediated	e8cbc669-f12d-49eb-93e7-9273119e9933	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4	Security Center	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Web Application should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default: Audit Allowed: (Audit, Disabled)	GA
Windows machines should meet requirements for 'Administrative Templates - Network'	67e010c1-640d-438e-a3a5-feaccb533a98	Guest Configuration	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Windows machines should meet requirements for 'Security Options - Microsoft Network Server'	caf2d518-f029-4f6b-833b-d7081702f253	Guest Configuration	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Windows machines should meet requirements for 'Security Options - Network Access'	3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd	Guest Configuration	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA
Windows machines should meet requirements for 'Security Options - Network Security'	1221c620-d201-468c-81e7-2817e6107e84	Guest Configuration	Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled)	GA

JSON