AzInitiativeAdvertizer

last sync: 2025-Apr-22 16:45:35 UTC

ACAT for Microsoft 365 Certification

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameACAT for Microsoft 365 Certification
Id80307b86-ab81-45ab-bf4f-4e0b93cf3dd5
Version1.1.0
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0
1.0.0
Built-in Versioning [Preview]
CategoryRegulatory Compliance
Microsoft Learn
DescriptionApp Compliance Automation Tool for Microsoft 365 (ACAT) simplifies the process to achieve Microsoft 365 Certification, see https://aka.ms/acat. This certification ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. This initiative includes policies that address a subset of the Microsoft 365 Certification controls. Additional policies will be added in upcoming releases.
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = unknown
Available in AzUSGovUnknown, no evidence if PolicySet definition is/not available in AzureUSGovernment
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 16
Builtin Policies: 16
Static Policies: 0
GA: 16
8 categories:
App Service: 1
Azure Data Explorer: 1
Guest Configuration: 6
Monitoring: 2
Network: 1
SQL: 2
Storage: 1
Synapse: 2
Policy-used
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration 4.1.0 2x
4.1.0, 4.0.0		 Fixed
modify		 1 Contributor GA true
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration 4.1.0 2x
4.1.0, 4.0.0		 Fixed
modify		 1 Contributor GA true
App Service Environment should have TLS 1.0 and 1.1 disabled d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service 2.0.1 1x
2.0.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA unknown
Azure SQL Database should be running TLS version 1.2 or newer 32e6bbec-16b6-44c2-be37-c5b672d103cf SQL 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA true
Azure Synapse Analytics dedicated SQL pools should enable encryption cfaf0007-99c7-4b01-b36b-4048872ac978 Synapse 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration 3.1.0 2x
3.1.0, 3.0.0		 Fixed
deployIfNotExists		 1 Contributor GA true
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration 1.2.0 1x
1.2.0		 Fixed
deployIfNotExists		 1 Contributor GA true
Disk encryption should be enabled on Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Azure Data Explorer 2.0.0 1x
2.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Linux virtual machines should have Azure Monitor Agent installed 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Monitoring 3.4.0 4x
3.4.0, 3.3.0, 3.2.0, 3.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
SQL Managed Instance should have the minimal TLS version of 1.2 a8793640-60f7-487c-b5c3-1d37215905c4 SQL 1.0.1 1x
1.0.1		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Storage accounts should have the specified minimum TLS version fe83a0eb-a853-422d-aac2-1bffd182c5d0 Storage 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Vulnerability assessment should be enabled on your Synapse workspaces 0049a6b3-a662-4f3e-8635-39cf44ace45a Synapse 1.0.0 1x
1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA true
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Windows machines should configure Windows Defender to update protection signatures within one day d96163de-dbe0-45ac-b803-0e9ca0f5764e Guest Configuration 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Windows machines should enable Windows Defender Real-time protection b3248a42-b1c1-41a4-87bc-8bad3d845589 Guest Configuration 1.0.1 2x
1.0.1, 1.0.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Windows virtual machines should have Azure Monitor Agent installed c02729e5-e5e7-4458-97fa-2b5ad0661f28 Monitoring 3.2.0 2x
3.2.0, 3.1.0		 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA unknown
Roles used Total Roles usage: 4
Total Roles unique usage: 1
Role Role Id #Policies Policies
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 4 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
History
JSON compare
compare mode: version left: version right:
JSON
api-version=2023-04-01
EPAC