Policy DisplayName |
Policy Id |
Category |
Effect |
State |
[Deprecated]: Authentication should be enabled on your API app |
c4ebc54a-46e1-481a-bee2-d4411e95d828 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' |
0c192fe8-9cbb-4516-85b3-0ade8bd03886 |
App Service |
Default: Audit Allowed: (Audit, Disabled) |
Deprecated |
[Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app |
991310cd-e9f3-47bc-b7b6-f57b557d07db |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app |
88999f4c-376a-45c8-bcb3-4058f713cf39 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app |
1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Ensure that 'Python version' is the latest, if used as a part of the API app |
74c3584d-afae-46f7-a20a-6f8adba71a16 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: FTPS only should be required in your API App |
9a1b8c48-453a-4044-86c3-d8bfd823e4f5 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Latest TLS version should be used in your API App |
8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Deprecated]: Managed identity should be used in your API App |
c4d441f8-f9d9-4a9e-9cef-e82117cb3eef |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Deprecated |
[Preview]: Storage account public access should be disallowed |
4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 |
Storage |
Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
Preview |
An activity log alert should exist for specific Administrative operations |
b954148f-4c11-4c38-8221-be76711e194a |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
An activity log alert should exist for specific Policy operations |
c5447c04-a4d7-4ba8-a263-c9ee321a6858 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
An activity log alert should exist for specific Security operations |
3b980d31-7904-4bb7-8575-5665739a8052 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
An Azure Active Directory administrator should be provisioned for SQL servers |
1f314764-cb73-4fc9-b863-8eca98ac36e9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
App Service apps should only be accessible over HTTPS |
a4af4a39-4135-47fb-b175-47fbdf85311d |
App Service |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Audit VMs that do not use managed disks |
06a78e20-9358-41c9-923c-fb736d382a4d |
Compute |
Fixed: audit |
GA |
Auditing on SQL server should be enabled |
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Authentication should be enabled on your Function app |
c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Authentication should be enabled on your web app |
95bccee9-a7f8-4bec-9ee9-62c3473701fc |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Auto provisioning of the Log Analytics agent should be enabled on your subscription |
475aae12-b88a-4572-8b36-9b712b2b3a17 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for App Service should be enabled |
2913021d-f2fd-4f3d-b958-22354e2bdbcb |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for Azure SQL Database servers should be enabled |
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for Key Vault should be enabled |
0e6763cc-5078-4e64-889d-ff4d9a839047 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for servers should be enabled |
4da35fc9-c9e7-4960-aec9-797fe7d9051d |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for SQL servers on machines should be enabled |
6581d072-105e-4418-827f-bd446d56421b |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for Storage should be enabled |
308fbb08-4ab8-4e67-9b29-592e93fb94fa |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Connection throttling should be enabled for PostgreSQL database servers |
5345bb39-67dc-4960-a1bf-427e16b9a0bd |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Disconnections should be logged for PostgreSQL database servers. |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Email notification for high severity alerts should be enabled |
6e2593d9-add6-4083-9c9b-4b7d2188c899 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Enforce SSL connection should be enabled for MySQL database servers |
e802a67a-daf5-4436-9ea6-f6d821dd0c5d |
SQL |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Enforce SSL connection should be enabled for PostgreSQL database servers |
d158790f-bfb0-486c-8631-2dc6b4e8e6af |
SQL |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Ensure that 'HTTP Version' is the latest, if used to run the Function app |
e2c1c086-2d84-4019-bff3-c44ccd95113c |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'HTTP Version' is the latest, if used to run the Web app |
8c122334-9d20-4eb8-89ea-ac9a705b74ae |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'Java version' is the latest, if used as a part of the Function app |
9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'Java version' is the latest, if used as a part of the Web app |
496223c3-ad65-4ecd-878a-bae78737e9ed |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'PHP version' is the latest, if used as a part of the WEB app |
7261b898-8a84-4db8-9e04-18527132abb3 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'Python version' is the latest, if used as a part of the Function app |
7238174a-fd10-4ef0-817e-fc820a951d73 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure that 'Python version' is the latest, if used as a part of the Web app |
7008174a-fd10-4ef0-817e-fc820a951d73 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' |
5bb220d9-2698-4ee4-8404-b9c30c9df609 |
App Service |
Default: Audit Allowed: (Audit, Disabled) |
GA |
External accounts with owner permissions should be removed from your subscription |
f8456c1c-aa66-4dfb-861a-25d127b775c9 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
External accounts with read permissions should be removed from your subscription |
5f76cf89-fbf2-47fd-a3f4-b891fa780b60 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
External accounts with write permissions should be removed from your subscription |
5c607a2e-c700-4744-8254-d77e7c9eb5e4 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
FTPS only should be required in your Function App |
399b2637-a50f-4f95-96f8-3a145476eb15 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
FTPS should be required in your Web App |
4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Function apps should have 'Client Certificates (Incoming client certificates)' enabled |
eaebaea7-8013-4ceb-9d14-7eb32271373c |
App Service |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Key Vault keys should have an expiration date |
152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 |
Key Vault |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Key Vault secrets should have an expiration date |
98728c90-32c7-4049-8429-847dc0f4fe37 |
Key Vault |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Key vaults should have purge protection enabled |
0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 |
Key Vault |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Latest TLS version should be used in your Function App |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Latest TLS version should be used in your Web App |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Log checkpoints should be enabled for PostgreSQL database servers |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Log connections should be enabled for PostgreSQL database servers |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Managed identity should be used in your Function App |
0da106f2-4ca3-48e8-bc85-c638fe6aea8f |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Managed identity should be used in your Web App |
2b9ad585-36bc-4615-b300-fd4435808332 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled accounts with write permissions on your subscription |
9297c21d-2ed6-4474-b48f-163f75654ce3 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled on accounts with owner permissions on your subscription |
aa633080-8b72-40c4-a2d7-d00c03e80bed |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled on accounts with read permissions on your subscription |
e3576e28-8b17-4677-84c3-db2990658d64 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Microsoft Defender for Containers should be enabled |
1c988dd6-ade4-430f-a608-2a3e5b0a6d38 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Monitor missing Endpoint Protection in Azure Security Center |
af6cd1bd-1635-48cb-bde7-5b15693900b9 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Network Watcher should be enabled |
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 |
Network |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Only approved VM extensions should be installed |
c0e996f8-39cf-4af9-9f45-83fbde810432 |
Compute |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Resource logs in App Services should be enabled |
91a78b24-f231-4a8a-8da9-02c35b2b6510 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Azure Data Lake Store should be enabled |
057ef27e-665e-4328-8ea3-04b3122bd9fb |
Data Lake |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Azure Stream Analytics should be enabled |
f9be5368-9bf5-4b84-9e0a-7850da98bb46 |
Stream Analytics |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Batch accounts should be enabled |
428256e6-1fac-4f48-a757-df34c2b3336d |
Batch |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Data Lake Analytics should be enabled |
c95c74d9-38fe-4f0d-af86-0c7d626a315c |
Data Lake |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Event Hub should be enabled |
83a214f7-d01a-484b-91a9-ed54470c9a6a |
Event Hub |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in IoT Hub should be enabled |
383856f8-de7f-44a2-81fc-e5135b5c2aa4 |
Internet of Things |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Key Vault should be enabled |
cf820ca0-f99e-4f3e-84fb-66e913812d21 |
Key Vault |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Logic Apps should be enabled |
34f95f76-5386-4de7-b824-0d8478470c9d |
Logic Apps |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Search services should be enabled |
b4330a05-a843-4bc8-bf9a-cacce50c67f4 |
Search |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Service Bus should be enabled |
f8d36e2f-389b-4ee4-898d-21aeb69a0f45 |
Service Bus |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Virtual Machine Scale Sets should be enabled |
7c1b1214-f927-48bf-8882-84f0af6588b1 |
Compute |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Role-Based Access Control (RBAC) should be used on Kubernetes Services |
ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 |
Security Center |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Secure transfer to storage accounts should be enabled |
404c3081-a854-4457-ae30-26a93ef643f9 |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
SQL managed instances should use customer-managed keys to encrypt data at rest |
ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 |
SQL |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
SQL servers should use customer-managed keys to encrypt data at rest |
0a370ff3-6cab-4e85-8995-295fd854c5b8 |
SQL |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
89099bee-89e0-4b26-a5f4-165451757743 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Storage account containing the container with activity logs must be encrypted with BYOK |
fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Storage accounts should allow access from trusted Microsoft services |
c9d007d0-c057-4772-b18c-01e546713bcd |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Storage accounts should restrict network access |
34c877ad-507e-4c82-993e-3452a6e0ad3c |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Storage accounts should restrict network access using virtual network rules |
2a1a9cdf-e04d-429a-8416-3bfb72a1b26f |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Storage accounts should use customer-managed key for encryption |
6fac406b-40ca-413b-bf8e-0bf964659c25 |
Storage |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Subscriptions should have a contact email address for security issues |
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
System updates should be installed on your machines |
86b3d65f-7626-441e-b690-81a8b71cff60 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Transparent Data Encryption on SQL databases should be enabled |
17k78e20-9358-41c9-923c-fb736d382a12 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
0961003e-5a0a-4549-abde-af6a37f2724d |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports |
057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Vulnerability assessment should be enabled on SQL Managed Instance |
1b7aa243-30e4-4c9e-bca8-d0d3022b634a |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Vulnerability assessment should be enabled on your SQL servers |
ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 |
SQL |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |