Policy DisplayName |
Policy Id |
Category |
Effect |
State |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
fc5e4038-4584-4632-8c85-c0448d374b2c |
Network |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Preview |
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images |
32133ab0-ee4b-4b44-98d6-042180979d50 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Preview |
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
04c4380f-3fae-46e8-96c9-30193528f602 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Preview |
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
2f2ee1de-44aa-4762-b6bd-0893fc3f306d |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
Preview |
A maximum of 3 owners should be designated for your subscription |
4f11b553-d42e-4e3a-89be-32ca364cad4c |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
A vulnerability assessment solution should be enabled on your virtual machines |
501541f7-f7e7-4cd6-868c-4190fdad3ac9 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Activity log should be retained for at least one year |
b02aacc0-b073-424e-8298-42b22829ee0a |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Adaptive application controls for defining safe applications should be enabled on your machines |
47a6b606-51aa-4496-8bb7-64b11cf66adc |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Adaptive network hardening recommendations should be applied on internet facing virtual machines |
08e6af2d-db70-460a-bfe9-d5bd474ba9d6 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
3cf2ab00-13f1-4d0c-8971-2ac904541a7e |
Guest Configuration |
Fixed: modify |
GA |
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
497dff13-db2a-4c0f-8603-28fa3b331ab6 |
Guest Configuration |
Fixed: modify |
GA |
All network ports should be restricted on network security groups associated to your virtual machine |
9daedab3-fb2d-461e-b861-71790eead4f6 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Allowlist rules in your adaptive application control policy should be updated |
123a3936-f020-408a-ba0c-47873faf1534 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
App Service apps should have resource logs enabled |
91a78b24-f231-4a8a-8da9-02c35b2b6510 |
App Service |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
App Service apps should use a virtual network service endpoint |
2d21331d-a4c2-4def-a9ad-ee4e1e023beb |
Network |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Linux machines that allow remote connections from accounts without passwords |
ea53dbee-c6c9-4f0e-9f9e-de0039b78023 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Linux machines that do not have the passwd file permissions set to 0644 |
e6955644-301c-44b5-a4c4-528577de6861 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Linux machines that have accounts without passwords |
f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit virtual machines without disaster recovery configured |
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 |
Compute |
Fixed: auditIfNotExists |
GA |
Audit VMs that do not use managed disks |
06a78e20-9358-41c9-923c-fb736d382a4d |
Compute |
Fixed: audit |
GA |
Audit Windows machines that allow re-use of the previous 24 passwords |
5b054a0d-39e2-4d53-bea3-9734cad2c69b |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows machines that contain certificates expiring within the specified number of days |
1417908b-4bff-46ee-a2a6-4acc899320ab |
Guest Configuration |
Fixed: auditIfNotExists |
GA |
Audit Windows machines that do not have a maximum password age of 70 days |
4ceb8dc2-559c-478b-a15b-733fbf1e3738 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows machines that do not have a minimum password age of 1 day |
237b38db-ca4d-4259-9e47-7882441ca2c0 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows machines that do not have the password complexity setting enabled |
bf16e0bb-31e1-4646-8202-60a235cc7e74 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows machines that do not restrict the minimum password length to 14 characters |
a2d0e922-65d0-40c4-8f87-ea6da2d307a2 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows machines that do not store passwords using reversible encryption |
da0f98fe-a24b-4ad5-af69-bd0400233661 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Audit Windows VMs with a pending reboot |
4221adbc-5c0f-474f-88b7-037a99e6114c |
Guest Configuration |
Fixed: auditIfNotExists |
GA |
Authentication to Linux machines should require SSH keys |
630c64f9-8b6b-4c64-b511-6544ceff6fd6 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Auto provisioning of the Log Analytics agent should be enabled on your subscription |
475aae12-b88a-4572-8b36-9b712b2b3a17 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Automation account variables should be encrypted |
3657f5a0-770e-44a3-b44e-9431ba1e9735 |
Automation |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Azure Backup should be enabled for Virtual Machines |
013e242c-8828-4970-87b3-ab247555486d |
Backup |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure DDoS Protection Standard should be enabled |
a7aca53f-2ed4-4466-a25e-0b45ade68efd |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for App Service should be enabled |
2913021d-f2fd-4f3d-b958-22354e2bdbcb |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for Key Vault should be enabled |
0e6763cc-5078-4e64-889d-ff4d9a839047 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for servers should be enabled |
4da35fc9-c9e7-4960-aec9-797fe7d9051d |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Defender for Storage should be enabled |
308fbb08-4ab8-4e67-9b29-592e93fb94fa |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Key Vault should have firewall enabled |
55615ac9-af46-4a59-874e-391cc3dfb490 |
Key Vault |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' |
1a4e592a-6a6e-44a5-9814-e36264ca96e7 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) |
ea0dfaed-95fb-448c-934e-d6e713ce393d |
Monitoring |
Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
GA |
Azure Monitor Logs clusters should be encrypted with customer-managed key |
1f68a601-6e6d-4e42-babf-3f643a047ea2 |
Monitoring |
Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
GA |
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace |
d550e854-df1a-4de9-bf44-cd894b39a95e |
Monitoring |
Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
GA |
Azure Monitor should collect activity logs from all regions |
41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Azure Monitor solution 'Security and Audit' must be deployed |
3e596b57-105f-48a6-be97-03e9243bad6e |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
331e8ea8-378a-410f-a2e5-ae22f38bb0da |
Guest Configuration |
Fixed: deployIfNotExists |
GA |
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
385f5831-96d4-41db-9a3c-cd3af78aaae6 |
Guest Configuration |
Fixed: deployIfNotExists |
GA |
Deprecated accounts should be removed from your subscription |
6b1cbf55-e8b6-442f-ba4c-7246b6381474 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Deprecated accounts with owner permissions should be removed from your subscription |
ebb62a0c-3560-49e1-89ed-27e074e9f8ad |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Email notification for high severity alerts should be enabled |
6e2593d9-add6-4083-9c9b-4b7d2188c899 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Email notification to subscription owner for high severity alerts should be enabled |
0b15565f-aa9e-48ba-8619-45960f2c314d |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Endpoint protection solution should be installed on virtual machine scale sets |
26a828e1-e88f-464e-bbb3-c134a282b9de |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
External accounts with owner permissions should be removed from your subscription |
f8456c1c-aa66-4dfb-861a-25d127b775c9 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
External accounts with read permissions should be removed from your subscription |
5f76cf89-fbf2-47fd-a3f4-b891fa780b60 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
External accounts with write permissions should be removed from your subscription |
5c607a2e-c700-4744-8254-d77e7c9eb5e4 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Flow logs should be configured for every network security group |
c251913d-7d24-4958-af87-478ed3b9ba41 |
Network |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Flow logs should be enabled for every network security group |
27960feb-a23c-4577-8d36-ef8b5f35e0be |
Network |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Geo-redundant storage should be enabled for Storage Accounts |
bf045164-79ba-4215-8f95-f8048dc1780b |
Storage |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Internet-facing virtual machines should be protected with network security groups |
f6de0be7-9a8a-4b8a-b349-43cf02d22f7c |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
IP Forwarding on your virtual machine should be disabled |
bd352bd5-2853-4985-bf0d-73806b4a5744 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Key Vault should use a virtual network service endpoint |
ea4d6841-2173-4317-9747-ff522a45120f |
Network |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Key vaults should have purge protection enabled |
0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 |
Key Vault |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images |
5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Management ports of virtual machines should be protected with just-in-time network access control |
b0f33259-77d7-4c9e-aac6-3aabcfae693c |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled accounts with write permissions on your subscription |
9297c21d-2ed6-4474-b48f-163f75654ce3 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled on accounts with owner permissions on your subscription |
aa633080-8b72-40c4-a2d7-d00c03e80bed |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
MFA should be enabled on accounts with read permissions on your subscription |
e3576e28-8b17-4677-84c3-db2990658d64 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures |
c43e4a30-77cb-48ab-a4dd-93f175c63b57 |
Compute |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Microsoft IaaSAntimalware extension should be deployed on Windows servers |
9b597639-28e4-48eb-b506-56b05d366257 |
Compute |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Monitor missing Endpoint Protection in Azure Security Center |
af6cd1bd-1635-48cb-bde7-5b15693900b9 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Network Watcher flow logs should have traffic analytics enabled |
2f080164-9f4d-497e-9db6-416dc9f7b48a |
Network |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Network Watcher should be enabled |
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 |
Network |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Non-internet-facing virtual machines should be protected with network security groups |
bb91dfba-c30d-4263-9add-9c2384e659a6 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Batch accounts should be enabled |
428256e6-1fac-4f48-a757-df34c2b3336d |
Batch |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Key Vault should be enabled |
cf820ca0-f99e-4f3e-84fb-66e913812d21 |
Key Vault |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Logic Apps should be enabled |
34f95f76-5386-4de7-b824-0d8478470c9d |
Logic Apps |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Search services should be enabled |
b4330a05-a843-4bc8-bf9a-cacce50c67f4 |
Search |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Service Bus should be enabled |
f8d36e2f-389b-4ee4-898d-21aeb69a0f45 |
Service Bus |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Resource logs in Virtual Machine Scale Sets should be enabled |
7c1b1214-f927-48bf-8882-84f0af6588b1 |
Compute |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
fa298e57-9444-42ba-bf04-86e8470e32c7 |
Monitoring |
Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
GA |
Secure transfer to storage accounts should be enabled |
404c3081-a854-4457-ae30-26a93ef643f9 |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Storage account containing the container with activity logs must be encrypted with BYOK |
fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Storage accounts should restrict network access |
34c877ad-507e-4c82-993e-3452a6e0ad3c |
Storage |
Default: Audit Allowed: (Audit, Deny, Disabled) |
GA |
Storage Accounts should use a virtual network service endpoint |
60d21c4f-21a3-4d94-85f4-b924e6aeeda4 |
Network |
Default: Audit Allowed: (Audit, Disabled) |
GA |
Subnets should be associated with a Network Security Group |
e71308d3-144b-4262-b144-efdc3cc90517 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Subscriptions should have a contact email address for security issues |
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
System updates on virtual machine scale sets should be installed |
c3f317a7-a95c-4547-b7e7-11017ebdf2fe |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
System updates should be installed on your machines |
86b3d65f-7626-441e-b690-81a8b71cff60 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
The Log Analytics extension should be installed on Virtual Machine Scale Sets |
efbde977-ba53-4479-b8e9-10b957924fbf |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
There should be more than one owner assigned to your subscription |
09024ccc-0c5f-475e-9457-b7c0d9ed487b |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
0961003e-5a0a-4549-abde-af6a37f2724d |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Virtual machines should have the Log Analytics extension installed |
a70ca396-0a34-413a-88e1-b956c1e683be |
Monitoring |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
VM Image Builder templates should use private link |
2154edb9-244f-4741-9970-660785bccdaa |
VM Image Builder |
Default: Audit Allowed: (Audit, Disabled, Deny) |
GA |
Vulnerabilities in container security configurations should be remediated |
e8cbc669-f12d-49eb-93e7-9273119e9933 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Vulnerabilities in security configuration on your machines should be remediated |
e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 |
Security Center |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Windows machines should meet requirements for 'Security Options - Interactive Logon' |
d472d2c9-d6a3-4500-9f5f-b15f123005aa |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |
Windows web servers should be configured to use secure communication protocols |
5752e6d6-1206-46d8-8ab1-ecc2f71a8112 |
Guest Configuration |
Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
GA |