Policy DisplayName |
Policy Id |
Category |
Effect |
Roles# |
Roles |
State |
[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled |
eaebaea7-8013-4ceb-9d14-7eb32271373c |
App Service |
Default Disabled Allowed Audit, Disabled |
0 |
|
Deprecated |
[Deprecated]: System updates on virtual machine scale sets should be installed |
c3f317a7-a95c-4547-b7e7-11017ebdf2fe |
Security Center |
Default Disabled Allowed AuditIfNotExists, Disabled |
0 |
|
Deprecated |
[Deprecated]: System updates should be installed on your machines |
86b3d65f-7626-441e-b690-81a8b71cff60 |
Security Center |
Default Disabled Allowed AuditIfNotExists, Disabled |
0 |
|
Deprecated |
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections |
50b83b09-03da-41c1-b656-c293c914862b |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
A vulnerability assessment solution should be enabled on your virtual machines |
501541f7-f7e7-4cd6-868c-4190fdad3ac9 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with owner permissions on Azure resources should be MFA enabled |
e3e008c3-56b9-4133-8fd7-d3347377402a |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with read permissions on Azure resources should be MFA enabled |
81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with write permissions on Azure resources should be MFA enabled |
931e118d-50a1-4457-a5e4-78550e086c52 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Activity log should be retained for at least one year |
b02aacc0-b073-424e-8298-42b22829ee0a |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
All flow log resources should be in enabled state |
27960feb-a23c-4577-8d36-ef8b5f35e0be |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
All network ports should be restricted on network security groups associated to your virtual machine |
9daedab3-fb2d-461e-b861-71790eead4f6 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
An Azure Active Directory administrator should be provisioned for SQL servers |
1f314764-cb73-4fc9-b863-8eca98ac36e9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
API Management services should use a virtual network |
ef619a2c-cc4d-4d03-b2ba-8c94a834d85b |
API Management |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
App Configuration should disable public network access |
3d9f5e4c-9947-4579-9539-2a7695fbc187 |
App Configuration |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
App Configuration should use a customer-managed key |
967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 |
App Configuration |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
App Service apps should have authentication enabled |
95bccee9-a7f8-4bec-9ee9-62c3473701fc |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should have Client Certificates (Incoming client certificates) enabled |
19dd1db6-f442-49cf-a838-b0786b4401ef |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should have remote debugging turned off |
cb510bfd-1cba-4d9f-a230-cb0976f4bb71 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should have resource logs enabled |
91a78b24-f231-4a8a-8da9-02c35b2b6510 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should not have CORS configured to allow every resource to access your apps |
5744710e-cc2f-4ee8-8809-3b11e89f4bc9 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should only be accessible over HTTPS |
a4af4a39-4135-47fb-b175-47fbdf85311d |
App Service |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
App Service apps should require FTPS only |
4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should use latest 'HTTP Version' |
8c122334-9d20-4eb8-89ea-ac9a705b74ae |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should use the latest TLS version |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit diagnostic setting for selected resource types |
7f89b1eb-583c-429a-8828-af049802c1d9 |
Monitoring |
Fixed AuditIfNotExists |
0 |
|
GA |
Audit resource location matches resource group location |
0a914e76-4921-4c19-b460-a2d36003525a |
General |
Fixed audit |
0 |
|
GA |
Audit usage of custom RBAC roles |
a451c1ef-c6ca-483d-87ed-f49761e3ffb5 |
General |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Audit virtual machines without disaster recovery configured |
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 |
Compute |
Fixed auditIfNotExists |
0 |
|
GA |
Auditing on SQL server should be enabled |
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Authorization rules on the Event Hub instance should be defined |
f4826e5f-6a27-407c-ae3e-9582eb39891d |
Event Hub |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Authorized IP ranges should be defined on Kubernetes Services |
0e246bcf-5f6f-4f87-bc6f-775d4712c7ea |
Security Center |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Azure Backup should be enabled for Virtual Machines |
013e242c-8828-4970-87b3-ab247555486d |
Backup |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Container Instance container group should deploy into a virtual network |
8af8f826-edcb-4178-b35f-851ea6fea615 |
Container Instance |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Azure Container Instance container group should use customer-managed key for encryption |
0aa61e00-0a01-4a3c-9945-e93cffedf0e6 |
Container Instance |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Azure DDoS Protection should be enabled |
a7aca53f-2ed4-4466-a25e-0b45ade68efd |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for App Service should be enabled |
2913021d-f2fd-4f3d-b958-22354e2bdbcb |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for Azure SQL Database servers should be enabled |
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for Key Vault should be enabled |
0e6763cc-5078-4e64-889d-ff4d9a839047 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for servers should be enabled |
4da35fc9-c9e7-4960-aec9-797fe7d9051d |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for SQL servers on machines should be enabled |
6581d072-105e-4418-827f-bd446d56421b |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Key Vault Managed HSM should have purge protection enabled |
c39ba22d-4428-4149-b981-70acb31fc383 |
Key Vault |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' |
1a4e592a-6a6e-44a5-9814-e36264ca96e7 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Monitor Logs clusters should be encrypted with customer-managed key |
1f68a601-6e6d-4e42-babf-3f643a047ea2 |
Monitoring |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace |
d550e854-df1a-4de9-bf44-cd894b39a95e |
Monitoring |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Azure Monitor should collect activity logs from all regions |
41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Monitor solution 'Security and Audit' must be deployed |
3e596b57-105f-48a6-be97-03e9243bad6e |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure SQL Database should be running TLS version 1.2 or newer |
32e6bbec-16b6-44c2-be37-c5b672d103cf |
SQL |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Azure subscriptions should have a log profile for Activity Log |
7796937f-307b-4598-941c-67d3a05ebfe7 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure VPN gateways should not use 'basic' SKU |
e345b6c3-24bd-4c93-9bbb-7e5e49a17b78 |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points |
055aa869-bc98-4af8-bafc-23f1ab6ffe2c |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Blocked accounts with owner permissions on Azure resources should be removed |
0cfea604-3201-4e14-88fc-fae4c427a6c5 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Blocked accounts with read and write permissions on Azure resources should be removed |
8d7e1fde-fe26-4b5f-8108-f8e432cbc2be |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys |
7d7be79c-23ba-4033-84dd-45e2a5ccdd67 |
Kubernetes |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Configure App Configuration to disable public network access |
73290fa2-dfa7-4bbb-945d-a5e23b75df2c |
App Configuration |
Default Modify Allowed Modify, Disabled |
1 |
Contributor |
GA |
Configure Azure SQL Server to disable public network access |
28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b |
SQL |
Default Modify Allowed Modify, Disabled |
1 |
SQL Server Contributor |
GA |
Configure Azure SQL Server to enable private endpoint connections |
8e8ca470-d980-4831-99e6-dc70d9f6af87 |
SQL |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Network Contributor, SQL Server Contributor |
GA |
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location |
09ce66bc-1220-4153-8104-e3f51c936913 |
Backup |
Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
2 |
Backup Contributor, Virtual Machine Contributor |
GA |
Configure Container registries to disable public network access |
a3701552-92ea-433e-9d17-33b7f1208fc9 |
Container Registry |
Default Modify Allowed Modify, Disabled |
1 |
Contributor |
GA |
Configure managed disks to disable public network access |
8426280e-b5be-43d9-979e-653d12a08638 |
Compute |
Default Modify Allowed Modify, Disabled |
1 |
Contributor |
GA |
Connection throttling should be enabled for PostgreSQL database servers |
5345bb39-67dc-4960-a1bf-427e16b9a0bd |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Container registries should be encrypted with a customer-managed key |
5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 |
Container Registry |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Container registries should not allow unrestricted network access |
d0793b48-0edc-4296-a390-4c75d1bdfd71 |
Container Registry |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Cosmos DB should use a virtual network service endpoint |
e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace |
b79fa14e-238a-4c2d-b376-442ce508fc84 |
SQL |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets |
3c1b3629-c8f8-4bf6-862c-037cb9094038 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Virtual Machine Contributor |
GA |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines |
0868462e-646c-4fe3-9ced-a733534b6a2c |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Log Analytics Contributor |
GA |
Deploy Defender for Storage (Classic) on storage accounts |
361c2074-3595-4e5d-8cab-4f21dffc835c |
Storage |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Security Admin |
GA |
Deploy Diagnostic Settings for Batch Account to Event Hub |
db51110f-0865-4a6e-b274-e2e07a5b2cd7 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace |
c84e5349-db6d-4769-805e-e14037dab9b5 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub |
4daddf25-4823-43d4-88eb-2419eb6dcc08 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace |
d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub |
e8d096bc-85de-4c5f-8cfb-857bd1b9d62d |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace |
25763a0a-5783-4f14-969e-79d4933eb74b |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Event Hub to Event Hub |
ef7b61ef-b8e4-4c91-8e78-6946c6b0023f |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace |
1f6e93e8-6b31-41b1-83f6-36e449a42579 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace |
bef3f64c-5290-43b7-85b0-9b254eef4c47 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Logic Apps to Event Hub |
a1dae6c7-13f3-48ea-a149-ff8442661f60 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace |
b889a06c-ec72-4b03-910a-cb169ee18721 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Search Services to Event Hub |
3d5da587-71bd-41f5-ac95-dd3330c2d58d |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Search Services to Log Analytics workspace |
08ba64b8-738f-4918-9686-730d2ed79c7d |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Service Bus to Event Hub |
6b51af03-9277-49a9-a3f8-1c69c9ff7403 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace |
04d53d87-841c-4f23-8a5b-21564380b55e |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Deploy Diagnostic Settings for Stream Analytics to Event Hub |
edf3780c-3d70-40fe-b17e-ab72013dafca |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace |
237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 |
Monitoring |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
2 |
Log Analytics Contributor, Monitoring Contributor |
GA |
Disconnections should be logged for PostgreSQL database servers. |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Email notification for high severity alerts should be enabled |
6e2593d9-add6-4083-9c9b-4b7d2188c899 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Email notification to subscription owner for high severity alerts should be enabled |
0b15565f-aa9e-48ba-8619-45960f2c314d |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. |
8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 |
Security Center |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. |
6df2fee6-a9ed-4fef-bced-e13be1b25f1c |
Security Center |
Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
Enforce SSL connection should be enabled for MySQL database servers |
e802a67a-daf5-4436-9ea6-f6d821dd0c5d |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Enforce SSL connection should be enabled for PostgreSQL database servers |
d158790f-bfb0-486c-8631-2dc6b4e8e6af |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Event Hub namespaces should use a customer-managed key for encryption |
a1ad735a-e96f-45d2-a7b2-9a4932cab7ec |
Event Hub |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Event Hub should use a virtual network service endpoint |
d63edb4a-c612-454d-b47d-191a724fcbf0 |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Flow logs should be configured for every network security group |
c251913d-7d24-4958-af87-478ed3b9ba41 |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Function apps should have authentication enabled |
c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should have remote debugging turned off |
0e60b895-3786-45da-8377-9c6b4b6ac5f9 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should not have CORS configured to allow every resource to access your apps |
0820b7b9-23aa-4725-a1ce-ae4558f718e5 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should only be accessible over HTTPS |
6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab |
App Service |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Function apps should require FTPS only |
399b2637-a50f-4f95-96f8-3a145476eb15 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should use latest 'HTTP Version' |
e2c1c086-2d84-4019-bff3-c44ccd95113c |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should use managed identity |
0da106f2-4ca3-48e8-bc85-c638fe6aea8f |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should use the latest TLS version |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for MariaDB |
0ec47710-77ff-4a3d-9181-6aa50af424d0 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for MySQL |
82339799-d096-41ae-8538-b108becf0970 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
48af4db5-9b8b-401c-8e74-076be876a430 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant storage should be enabled for Storage Accounts |
bf045164-79ba-4215-8f95-f8048dc1780b |
Storage |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Guest accounts with owner permissions on Azure resources should be removed |
339353f6-2387-4a45-abe4-7f529d121046 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Guest accounts with read permissions on Azure resources should be removed |
e9ac8f8e-ce22-4355-8f04-99b911d6be52 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Guest accounts with write permissions on Azure resources should be removed |
94e1c2ac-cbbe-4cac-a2b5-389c812dee87 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Guest Configuration extension should be installed on your machines |
ae89ebca-1c92-4898-ac2c-9f63decb045c |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
HPC Cache accounts should use customer-managed key for encryption |
970f84d8-71b6-4091-9979-ace7e3fb6dbb |
Storage |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Infrastructure encryption should be enabled for Azure Database for MySQL servers |
3a58212a-c829-4f13-9872-6371df2fd0b4 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers |
24fba194-95d6-48c0-aea7-f65bf859c598 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Internet-facing virtual machines should be protected with network security groups |
f6de0be7-9a8a-4b8a-b349-43cf02d22f7c |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
IP Forwarding on your virtual machine should be disabled |
bd352bd5-2853-4985-bf0d-73806b4a5744 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Key Vault should use a virtual network service endpoint |
ea4d6841-2173-4317-9747-ff522a45120f |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Key vaults should have deletion protection enabled |
0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 |
Key Vault |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Key vaults should have soft delete enabled |
1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d |
Key Vault |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Kubernetes cluster containers should only use allowed capabilities |
c26596ff-4d70-4e6a-9a30-c2506bd2f80c |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster containers should run with a read only root file system |
df49d893-a74c-421d-bc95-c663042e5b80 |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster pods and containers should only run with approved user and group IDs |
f06ddb64-5fa3-4b77-b166-acb36f7f6042 |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster pods should only use approved host network and port range |
82985f06-dc18-4a48-bc1c-b9f4f0098cfe |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster services should listen only on allowed ports |
233a2a17-77ca-4fb1-9b6b-69223d272a44 |
Kubernetes |
Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster services should only use allowed external IPs |
d46c275d-1680-448d-b2ec-e495a3b6cc89 |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes cluster should not allow privileged containers |
95edb821-ddaf-4404-9732-666045e056b4 |
Kubernetes |
Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes clusters should be accessible only over HTTPS |
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d |
Kubernetes |
Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes clusters should not allow container privilege escalation |
1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 |
Kubernetes |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version |
fb893a29-21bb-418c-a157-e99480ec364c |
Security Center |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images |
5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Log checkpoints should be enabled for PostgreSQL database servers |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Log connections should be enabled for PostgreSQL database servers |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Log duration should be enabled for PostgreSQL database servers |
eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Long-term geo-redundant backup should be enabled for Azure SQL Databases |
d38fc420-0735-4ef3-ac11-c806f651a570 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Managed disks should disable public network access |
8405fdab-1faf-48aa-b702-999c9c172094 |
Compute |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption |
d461a302-a187-421a-89ac-84acdb4edc04 |
Compute |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Management ports of virtual machines should be protected with just-in-time network access control |
b0f33259-77d7-4c9e-aac6-3aabcfae693c |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Management ports should be closed on your virtual machines |
22730e10-96f6-4aac-ad84-9383d35b5917 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
MariaDB server should use a virtual network service endpoint |
dfbd9a64-6114-48de-a47d-90574dc2e489 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures |
c43e4a30-77cb-48ab-a4dd-93f175c63b57 |
Compute |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Microsoft Defender for Containers should be enabled |
1c988dd6-ade4-430f-a608-2a3e5b0a6d38 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Microsoft Defender for Storage should be enabled |
640d2586-54d2-465f-877f-9ffc1d2109f4 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Microsoft IaaSAntimalware extension should be deployed on Windows servers |
9b597639-28e4-48eb-b506-56b05d366257 |
Compute |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Modify - Configure Azure File Sync to disable public network access |
0e07b2e9-6cd9-4c40-9ccb-52817b95133b |
Storage |
Default Modify Allowed Modify, Disabled |
1 |
Contributor |
GA |
MySQL server should use a virtual network service endpoint |
3375856c-3824-4e0e-ae6a-79e011dd4c47 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Network Watcher should be enabled |
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Non-internet-facing virtual machines should be protected with network security groups |
bb91dfba-c30d-4263-9add-9c2384e659a6 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Not allowed resource types |
6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
General |
Default Deny Allowed Audit, Deny, Disabled |
0 |
|
GA |
Only approved VM extensions should be installed |
c0e996f8-39cf-4af9-9f45-83fbde810432 |
Compute |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
OS and data disks should be encrypted with a customer-managed key |
702dd420-7fcc-42c5-afe8-4026edd20fe0 |
Compute |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
PostgreSQL server should use a virtual network service endpoint |
3c14b034-bcb6-4905-94e7-5b8e98a47b65 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
PostgreSQL servers should use customer-managed keys to encrypt data at rest |
18adea5e-f416-4d0f-8aa8-d24321e3e274 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Private endpoint connections on Azure SQL Database should be enabled |
7698e800-9299-47a6-b3b6-5a0fee576eed |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Private endpoint should be enabled for MariaDB servers |
0a1302fb-a631-4106-9753-f3d494733990 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Private endpoint should be enabled for MySQL servers |
7595c971-233d-4bcf-bd18-596129188c49 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Private endpoint should be enabled for PostgreSQL servers |
0564d078-92f5-4f97-8398-b9f58a51f70b |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Public network access on Azure SQL Database should be disabled |
1b8ca024-1d5c-4dec-8995-b1a932b41780 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for Container registries |
0fdf0491-d080-4575-b627-ad0e843cba0f |
Container Registry |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for MariaDB servers |
fdccbe47-f3e3-4213-ad5d-ea459b2fa077 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for MySQL flexible servers |
c9299215-ae47-4f50-9c54-8a392f68a052 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for MySQL servers |
d9844e8a-1437-4aeb-a32c-0c992f056095 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for PostgreSQL flexible servers |
5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Public network access should be disabled for PostgreSQL servers |
b52376f7-9612-48a1-81cd-1ffe4b61032c |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Resource logs in Azure Key Vault Managed HSM should be enabled |
a2a5b911-5617-447e-a49e-59dbe0e0434b |
Key Vault |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Resource logs in Event Hub should be enabled |
83a214f7-d01a-484b-91a9-ed54470c9a6a |
Event Hub |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Resource logs in Key Vault should be enabled |
cf820ca0-f99e-4f3e-84fb-66e913812d21 |
Key Vault |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Role-Based Access Control (RBAC) should be used on Kubernetes Services |
ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 |
Security Center |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
fa298e57-9444-42ba-bf04-86e8470e32c7 |
Monitoring |
Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
Secure transfer to storage accounts should be enabled |
404c3081-a854-4457-ae30-26a93ef643f9 |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
SQL Auditing settings should have Action-Groups configured to capture critical activities |
7ff426e2-515f-405a-91c8-4f2333442eb5 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
SQL Database should avoid using GRS backup redundancy |
b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 |
SQL |
Default Deny Allowed Deny, Disabled |
0 |
|
GA |
SQL Managed Instance should have the minimal TLS version of 1.2 |
a8793640-60f7-487c-b5c3-1d37215905c4 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
SQL Managed Instances should avoid using GRS backup redundancy |
a9934fd7-29f2-4e6d-ab3d-607ea38e9079 |
SQL |
Default Deny Allowed Deny, Disabled |
0 |
|
GA |
SQL managed instances should use customer-managed keys to encrypt data at rest |
ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
SQL Server should use a virtual network service endpoint |
ae5d2f14-d830-42b6-9899-df6cfe9c71a3 |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
SQL servers should use customer-managed keys to encrypt data at rest |
0a370ff3-6cab-4e85-8995-295fd854c5b8 |
SQL |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Storage account containing the container with activity logs must be encrypted with BYOK |
fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Storage accounts should allow access from trusted Microsoft services |
c9d007d0-c057-4772-b18c-01e546713bcd |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Storage accounts should have infrastructure encryption |
4733ea7b-a883-42fe-8cac-97454c2a9e4a |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Storage Accounts should use a virtual network service endpoint |
60d21c4f-21a3-4d94-85f4-b924e6aeeda4 |
Network |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Storage accounts should use customer-managed key for encryption |
6fac406b-40ca-413b-bf8e-0bf964659c25 |
Storage |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Subnets should be associated with a Network Security Group |
e71308d3-144b-4262-b144-efdc3cc90517 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Subscriptions should have a contact email address for security issues |
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
The Log Analytics extension should be installed on Virtual Machine Scale Sets |
efbde977-ba53-4479-b8e9-10b957924fbf |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Transparent Data Encryption on SQL databases should be enabled |
17k78e20-9358-41c9-923c-fb736d382a12 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Virtual machines and virtual machine scale sets should have encryption at host enabled |
fc4d8e41-e223-45ea-9bf5-eada37891d87 |
Compute |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
d26f7642-7545-4e18-9b75-8c9bbdee3a9a |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Virtual machines should be connected to an approved virtual network |
d416745a-506c-48b6-8ab1-83cb814bcaa3 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Virtual machines should be migrated to new Azure Resource Manager resources |
1d84d5fb-01f6-4d12-ba4f-4a26081d403d |
Compute |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Virtual machines should have the Log Analytics extension installed |
a70ca396-0a34-413a-88e1-b956c1e683be |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet |
77e8b146-0078-4fb2-b002-e112381199f0 |
SQL |
Fixed AuditIfNotExists |
0 |
|
GA |
Virtual networks should use specified virtual network gateway |
f1776c76-f58c-4245-a8d0-2b207198dc8b |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerabilities in security configuration on your machines should be remediated |
e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerability assessment should be enabled on SQL Managed Instance |
1b7aa243-30e4-4c9e-bca8-d0d3022b634a |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerability assessment should be enabled on your SQL servers |
ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Web Application Firewall (WAF) should be enabled for Application Gateway |
564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Web Application Firewall (WAF) should use the specified mode for Application Gateway |
12430be1-6cc8-4527-a9a8-e3d38f250096 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service |
425bea59-a659-4cbb-8d31-34499bd030b8 |
Network |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |