Policy DisplayName |
Policy Id |
Category |
Effect |
Roles# |
Roles |
State |
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
3cf2ab00-13f1-4d0c-8971-2ac904541a7e |
Guest Configuration |
Fixed modify |
1 |
Contributor |
GA |
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
497dff13-db2a-4c0f-8603-28fa3b331ab6 |
Guest Configuration |
Fixed modify |
1 |
Contributor |
GA |
App Service Environment should have TLS 1.0 and 1.1 disabled |
d6545c6b-dd9d-4265-91e6-0b451e2f1c50 |
App Service |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection |
711c24bb-7f18-4578-b192-81a6161e1f17 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Azure SQL Database should be running TLS version 1.2 or newer |
32e6bbec-16b6-44c2-be37-c5b672d103cf |
SQL |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Azure Synapse Analytics dedicated SQL pools should enable encryption |
cfaf0007-99c7-4b01-b36b-4048872ac978 |
Synapse |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium |
f516dc7a-4543-4d40-aad6-98f76a706b50 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
331e8ea8-378a-410f-a2e5-ae22f38bb0da |
Guest Configuration |
Fixed deployIfNotExists |
1 |
Contributor |
GA |
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
385f5831-96d4-41db-9a3c-cd3af78aaae6 |
Guest Configuration |
Fixed deployIfNotExists |
1 |
Contributor |
GA |
Disk encryption should be enabled on Azure Data Explorer |
f4b53539-8df9-40e4-86c6-6b607703bd4e |
Azure Data Explorer |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows |
610b6183-5f00-4d68-86d2-4ab4cb3a67a5 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) |
6484db87-a62d-4327-9f07-80a2cbdf333a |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Linux virtual machines should have Azure Monitor Agent installed |
1afdc4b6-581a-45fb-b630-f1e6051e3e7a |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
SQL Managed Instance should have the minimal TLS version of 1.2 |
a8793640-60f7-487c-b5c3-1d37215905c4 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Storage accounts should have the specified minimum TLS version |
fe83a0eb-a853-422d-aac2-1bffd182c5d0 |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Subscription should configure the Azure Firewall Premium to provide additional layer of protection |
f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerability assessment should be enabled on your Synapse workspaces |
0049a6b3-a662-4f3e-8635-39cf44ace45a |
Synapse |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Web Application Firewall (WAF) should enable all firewall rules for Application Gateway |
632d3993-e2c0-44ea-a7db-2eca131f356d |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Web Application Firewall (WAF) should use the specified mode for Application Gateway |
12430be1-6cc8-4527-a9a8-e3d38f250096 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Windows machines should configure Windows Defender to update protection signatures within one day |
d96163de-dbe0-45ac-b803-0e9ca0f5764e |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Windows machines should enable Windows Defender Real-time protection |
b3248a42-b1c1-41a4-87bc-8bad3d845589 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Windows machines should schedule Windows Defender to perform a scheduled scan every day |
3810e389-1d92-4f77-9267-33bdcf0bd225 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Windows machines should use the default NTP server |
2454bbee-dc19-442f-83fc-7f3114cafd91 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Windows virtual machines should have Azure Monitor Agent installed |
c02729e5-e5e7-4458-97fa-2b5ad0661f28 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |