last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

[Deprecated]: DoD Impact Level 4

Name[Deprecated]: DoD Impact Level 4
Azure Portal
Id8d792a84-723c-4d92-a3c3-e4ed16a2d133
Version9.0.0-deprecated
details on versioning
CategoryRegulatory Compliance
Microsoft docs
DescriptionThis initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.
TypeBuiltIn
DeprecatedTrue
PreviewFalse
History
Date/Time (UTC ymd) (i) Changes
2022-07-07 16:32:14 Version change: '8.0.0-deprecated' to '9.0.0-deprecated'
remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)
remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
remove Policy [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app (991310cd-e9f3-47bc-b7b6-f57b557d07db)
2022-06-10 16:31:22 Version change: '6.1.1-deprecated' to '8.0.0-deprecated'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2021-07-14 14:58:38 Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of DOD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-blueprint.' to 'This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.'
2021-01-22 09:14:56 remove Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2020-09-09 11:24:08 add Policy Audit Windows machines that do not have a maximum password age of 70 days (4ceb8dc2-559c-478b-a15b-733fbf1e3738)
add Policy Audit Windows machines that do not have the password complexity setting enabled (bf16e0bb-31e1-4646-8202-60a235cc7e74)
add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023)
add Policy Audit Windows machines that do not store passwords using reversible encryption (da0f98fe-a24b-4ad5-af69-bd0400233661)
add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
add Policy Audit Windows machines that do not have a minimum password age of 1 day (237b38db-ca4d-4259-9e47-7882441ca2c0)
add Policy Audit Linux machines that do not have the passwd file permissions set to 0644 (e6955644-301c-44b5-a4c4-528577de6861)
add Policy Audit Windows machines that do not restrict the minimum password length to 14 characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2)
add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99)
add Policy Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6)
add Policy Audit Windows machines that allow re-use of the previous 24 passwords (5b054a0d-39e2-4d53-bea3-9734cad2c69b)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e)
add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters (5aebc8d1-020d-4037-89a0-02043a7524ec)
remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de)
remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05)
remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords (726671ac-c4de-4908-8c7d-6043ae62e3b6)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day (16390df4-2f73-4b42-af13-c801066763df)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 (f19aa1c1-6b91-4c27-ae6a-970279f03db9)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption (2d60d3b7-aa10-454c-88a8-de39d99d17c6)
remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members (f3b44e5d-1456-475f-9c67-c66c4618e85a)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled (7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8)
remove Policy [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords (cdbf72d9-ac9c-4026-8a3a-491a5ac59293)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days (356a906e-05e5-4625-8729-90771e0ee934)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled (f48b2913-1dc5-4834-8c72-ccc1dfd819bb)
remove Policy [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 (b18175dd-c599-4c64-83ba-bb018a06d35b)
remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day (5aa11bbc-5c76-4302-80e5-aba46a4282e7)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption (8ff0b18b-262e-4512-857a-48ad0aeb9a78)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days (24dde96d-f0b1-425e-884f-4a1421e2dcdc)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members (93507a81-10a4-4af0-9ee2-34cf25a96e98)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters (23020aa6-1135-4be2-bae2-149982b06eca)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba)
2020-09-02 14:03:46 remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0)
remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6)
remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4)
remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461)
2020-07-01 14:50:07 remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)
2020-06-23 16:03:23 remove Policy Security Center standard pricing tier should be selected (a1181c5f-672a-477a-979a-7d58aa086233)
2020-06-16 14:55:25 Description change: 'This initiative includes audit and VM extension deployment policies that address a subset of DOD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of DOD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-blueprint.'
2020-06-01 18:36:21 Name change: '[Deprecated]: Audit DoD Impact Level 4 controls and deploy specific VM Extensions to support audit requirements' to '[Deprecated]: DOD Impact Level 4'
Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of DoD Impact Level 4 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/DoDIL4-blueprint.' to 'This initiative includes audit and VM extension deployment policies that address a subset of DOD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-blueprint.'
2020-05-29 15:39:26 add Policy Microsoft IaaSAntimalware extension should be deployed on Windows servers (9b597639-28e4-48eb-b506-56b05d366257)
add Policy Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
add Policy The Log Analytics extension should be installed on Virtual Machine Scale Sets (efbde977-ba53-4479-b8e9-10b957924fbf)
add Policy Virtual machines should have the Log Analytics extension installed (a70ca396-0a34-413a-88e1-b956c1e683be)
Name change: '[Preview]: Audit DoD Impact Level 4 controls and deploy specific VM Extensions to support audit requirements' to '[Deprecated]: Audit DoD Impact Level 4 controls and deploy specific VM Extensions to support audit requirements'
2020-03-16 18:14:00 Description change: 'Assigns policies to address specific DoD Impact Level 4 (IL4) controls. Learn more - https://aka.ms/DoDIL4-blueprint.' to 'This initiative includes audit and VM Extension deployment policies that address a subset of DoD Impact Level 4 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/DoDIL4-blueprint.'
Name change: '[Preview]: DoD Impact Level 4' to '[Preview]: Audit DoD Impact Level 4 controls and deploy specific VM Extensions to support audit requirements'
2020-03-03 10:09:24 add Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8)
add Policy Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
add Policy App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
add Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
add Policy App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
add Policy Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0)
add Policy App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b)
add Policy App Service apps should use latest 'HTTP Version' (8c122334-9d20-4eb8-89ea-ac9a705b74ae)
add Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
add Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c)
add Policy Security Center standard pricing tier should be selected (a1181c5f-672a-477a-979a-7d58aa086233)
add Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
add Policy Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193)
add Policy Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d)
add Policy Function apps should use latest 'HTTP Version' (e2c1c086-2d84-4019-bff3-c44ccd95113c)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6)
add Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
add Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461)
add Policy App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
add Policy Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4)
add Policy Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
add Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
add Policy [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app (991310cd-e9f3-47bc-b7b6-f57b557d07db)
add Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)
add Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
add Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc)
remove Policy Allowed locations for resource groups (e765b5de-1225-4ba3-bd56-1ac6695af988)
remove Policy Allowed locations (e56962a6-4747-49cd-b67b-bf8b01975c4c)
2020-02-20 08:25:18 remove Policy [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM (201ea587-7c90-41c3-910f-c280ae01cfd6)
2020-02-05 07:51:53 add Initiative 8d792a84-723c-4d92-a3c3-e4ed16a2d133
Policy count Total Policies: 84
Builtin Policies: 84
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images 32133ab0-ee4b-4b44-98d6-042180979d50 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 Preview
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration Fixed
modify
1 Contributor GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration Fixed
modify
1 Contributor GA
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should have remote debugging turned off cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should not have CORS configured to allow every resource to access your apps 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
App Service apps should use latest 'HTTP Version' 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use Java should use the latest 'Java version' 496223c3-ad65-4ecd-878a-bae78737e9ed App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use PHP should use the latest 'PHP version' 7261b898-8a84-4db8-9e04-18527132abb3 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use Python should use the latest 'Python version' 7008174a-fd10-4ef0-817e-fc820a951d73 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit diagnostic setting 7f89b1eb-583c-429a-8828-af049802c1d9 Monitoring Fixed
AuditIfNotExists
0 GA
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Linux machines that do not have the passwd file permissions set to 0644 e6955644-301c-44b5-a4c4-528577de6861 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Linux machines that have accounts without passwords f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit usage of custom RBAC rules a451c1ef-c6ca-483d-87ed-f49761e3ffb5 General Default
Audit
Allowed
Audit, Disabled
0 GA
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Compute Fixed
auditIfNotExists
0 GA
Audit Windows machines missing any of specified members in the Administrators group 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Guest Configuration Fixed
auditIfNotExists
0 GA
Audit Windows machines that allow re-use of the previous 24 passwords 5b054a0d-39e2-4d53-bea3-9734cad2c69b Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not have a maximum password age of 70 days 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not have a minimum password age of 1 day 237b38db-ca4d-4259-9e47-7882441ca2c0 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not have the password complexity setting enabled bf16e0bb-31e1-4646-8202-60a235cc7e74 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not restrict the minimum password length to 14 characters a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not store passwords using reversible encryption da0f98fe-a24b-4ad5-af69-bd0400233661 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that have the specified members in the Administrators group 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Guest Configuration Fixed
auditIfNotExists
0 GA
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with read permissions should be removed from your subscription 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should have remote debugging turned off 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Function apps should use latest 'HTTP Version' e2c1c086-2d84-4019-bff3-c44ccd95113c App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps that use Java should use the latest 'Java version' 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps that use Python should use the latest 'Python version' 7238174a-fd10-4ef0-817e-fc820a951d73 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MariaDB 0ec47710-77ff-4a3d-9181-6aa50af424d0 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MySQL 82339799-d096-41ae-8538-b108becf0970 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL 48af4db5-9b8b-401c-8e74-076be876a430 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant storage should be enabled for Storage Accounts bf045164-79ba-4215-8f95-f8048dc1780b Storage Default
Audit
Allowed
Audit, Disabled
0 GA
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version fb893a29-21bb-418c-a157-e99480ec364c Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Long-term geo-redundant backup should be enabled for Azure SQL Databases d38fc420-0735-4ef3-ac11-c806f651a570 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled for accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb Cache Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Service Fabric clusters should only use Azure Active Directory for client authentication b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets efbde977-ba53-4479-b8e9-10b957924fbf Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should be connected to a specified workspace f47b5582-33ec-4c5c-87c0-b010a6b2e917 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should have the Log Analytics extension installed a70ca396-0a34-413a-88e1-b956c1e683be Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows web servers should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Roles used Total Roles usage: 4
Total Roles unique usage: 1
Role Role Id Policies count Policies
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 4 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
JSON