last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

[Preview]: RMIT Malaysia

Name[Preview]: RMIT Malaysia
Azure Portal
Id97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6
Version9.0.0-preview
details on versioning
CategoryRegulatory Compliance
Microsoft docs
DescriptionThis initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative.
TypeBuiltIn
DeprecatedFalse
PreviewTrue
History
Date/Time (UTC ymd) (i) Changes
2022-07-07 16:32:14 Version change: '8.0.0-preview' to '9.0.0-preview'
remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
remove Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)
remove Policy [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app (991310cd-e9f3-47bc-b7b6-f57b557d07db)
remove Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef)
remove Policy [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled (0c192fe8-9cbb-4516-85b3-0ade8bd03886)
remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
remove Policy [Deprecated]: Authentication should be enabled on your API app (c4ebc54a-46e1-481a-bee2-d4411e95d828)
remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac)
remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
2022-06-10 16:31:22 Version change: '6.0.0-preview' to '8.0.0-preview'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-05-12 16:30:30 Version change: '5.0.0-preview' to '6.0.0-preview'
remove Policy [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
2022-03-18 17:53:48 Version change: '4.1.0-preview' to '5.0.0-preview'
remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)
2022-01-27 17:51:51 remove Policy [Deprecated]: Custom subscription owner roles should not exist (10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9)
2022-01-13 19:18:29 add Policy Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38)
add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2)
remove Policy [Deprecated]: Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65)
remove Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a)
remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd)
remove Policy [Deprecated]: Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc)
remove Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
2021-12-08 16:24:23 add Initiative 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6
Policy count Total Policies: 216
Builtin Policies: 216
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections 50b83b09-03da-41c1-b656-c293c914862b Network Default
Audit
Allowed
Audit, Disabled
0 GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Activity log should be retained for at least one year b02aacc0-b073-424e-8298-42b22829ee0a Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Allowlist rules in your adaptive application control policy should be updated 123a3936-f020-408a-ba0c-47873faf1534 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
API Management services should use a virtual network ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management Default
Audit
Allowed
Audit, Disabled
0 GA
App Configuration should disable public network access 3d9f5e4c-9947-4579-9539-2a7695fbc187 App Configuration Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
App Configuration should use a customer-managed key 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
App Service apps should have authentication enabled 95bccee9-a7f8-4bec-9ee9-62c3473701fc App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 5bb220d9-2698-4ee4-8404-b9c30c9df609 App Service Default
Audit
Allowed
Audit, Disabled
0 GA
App Service apps should have remote debugging turned off cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should have resource logs enabled 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should not have CORS configured to allow every resource to access your apps 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
App Service apps should require FTPS only 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should use latest 'HTTP Version' 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use Java should use the latest 'Java version' 496223c3-ad65-4ecd-878a-bae78737e9ed App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use PHP should use the latest 'PHP version' 7261b898-8a84-4db8-9e04-18527132abb3 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps that use Python should use the latest 'Python version' 7008174a-fd10-4ef0-817e-fc820a951d73 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit diagnostic setting 7f89b1eb-583c-429a-8828-af049802c1d9 Monitoring Fixed
AuditIfNotExists
0 GA
Audit resource location matches resource group location 0a914e76-4921-4c19-b460-a2d36003525a General Fixed
audit
0 GA
Audit usage of custom RBAC rules a451c1ef-c6ca-483d-87ed-f49761e3ffb5 General Default
Audit
Allowed
Audit, Disabled
0 GA
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Compute Fixed
auditIfNotExists
0 GA
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Authorization rules on the Event Hub instance should be defined f4826e5f-6a27-407c-ae3e-9582eb39891d Event Hub Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Authorized IP ranges should be defined on Kubernetes Services 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription 475aae12-b88a-4572-8b36-9b712b2b3a17 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Backup should be enabled for Virtual Machines 013e242c-8828-4970-87b3-ab247555486d Backup Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Container Instance container group should deploy into a virtual network 8af8f826-edcb-4178-b35f-851ea6fea615 Container Instance Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Azure Container Instance container group should use customer-managed key for encryption 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 Container Instance Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for App Service should be enabled 2913021d-f2fd-4f3d-b958-22354e2bdbcb Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for Azure SQL Database servers should be enabled 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for Key Vault should be enabled 0e6763cc-5078-4e64-889d-ff4d9a839047 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for servers should be enabled 4da35fc9-c9e7-4960-aec9-797fe7d9051d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL servers on machines should be enabled 6581d072-105e-4418-827f-bd446d56421b Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for Storage should be enabled 308fbb08-4ab8-4e67-9b29-592e93fb94fa Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Key Vault Managed HSM should have purge protection enabled c39ba22d-4428-4149-b981-70acb31fc383 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1a4e592a-6a6e-44a5-9814-e36264ca96e7 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Monitor Logs clusters should be encrypted with customer-managed key 1f68a601-6e6d-4e42-babf-3f643a047ea2 Monitoring Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace d550e854-df1a-4de9-bf44-cd894b39a95e Monitoring Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Azure Monitor should collect activity logs from all regions 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Monitor solution 'Security and Audit' must be deployed 3e596b57-105f-48a6-be97-03e9243bad6e Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure SQL Database should be running TLS version 1.2 or newer 32e6bbec-16b6-44c2-be37-c5b672d103cf SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Azure subscriptions should have a log profile for Activity Log 7796937f-307b-4598-941c-67d3a05ebfe7 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure VPN gateways should not use 'basic' SKU e345b6c3-24bd-4c93-9bbb-7e5e49a17b78 Network Default
Audit
Allowed
Audit, Disabled
0 GA
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Configure App Configuration to disable public network access 73290fa2-dfa7-4bbb-945d-a5e23b75df2c App Configuration Default
Modify
Allowed
Modify, Disabled
1 Contributor GA
Configure Azure SQL Server to disable public network access 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b SQL Default
Modify
Allowed
Modify, Disabled
1 SQL Server Contributor GA
Configure Azure SQL Server to enable private endpoint connections 8e8ca470-d980-4831-99e6-dc70d9f6af87 SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Network Contributor, SQL Server Contributor GA
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location 09ce66bc-1220-4153-8104-e3f51c936913 Backup Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
2 Backup Contributor, Virtual Machine Contributor GA
Configure Container registries to disable public network access a3701552-92ea-433e-9d17-33b7f1208fc9 Container Registry Default
Modify
Allowed
Modify, Disabled
1 Contributor GA
Configure managed disks to disable public network access 8426280e-b5be-43d9-979e-653d12a08638 Compute Default
Modify
Allowed
Modify, Disabled
1 Contributor GA
Connection throttling should be enabled for PostgreSQL database servers 5345bb39-67dc-4960-a1bf-427e16b9a0bd SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Container registries should be encrypted with a customer-managed key 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container Registry Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Container registries should not allow unrestricted network access d0793b48-0edc-4296-a390-4c75d1bdfd71 Container Registry Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Container registry images should have vulnerability findings resolved 5f0f936f-2f01-4bf5-b6be-d423792fa562 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Cosmos DB should use a virtual network service endpoint e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 Network Default
Audit
Allowed
Audit, Disabled
0 GA
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace b79fa14e-238a-4c2d-b376-442ce508fc84 SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3c1b3629-c8f8-4bf6-862c-037cb9094038 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Virtual Machine Contributor GA
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines 0868462e-646c-4fe3-9ced-a733534b6a2c Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Log Analytics Contributor GA
Deploy Advanced Threat Protection on storage accounts 361c2074-3595-4e5d-8cab-4f21dffc835c Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA
Deploy Diagnostic Settings for Batch Account to Event Hub db51110f-0865-4a6e-b274-e2e07a5b2cd7 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace c84e5349-db6d-4769-805e-e14037dab9b5 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub 4daddf25-4823-43d4-88eb-2419eb6dcc08 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub e8d096bc-85de-4c5f-8cfb-857bd1b9d62d Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace 25763a0a-5783-4f14-969e-79d4933eb74b Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Event Hub to Event Hub ef7b61ef-b8e4-4c91-8e78-6946c6b0023f Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace 1f6e93e8-6b31-41b1-83f6-36e449a42579 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace bef3f64c-5290-43b7-85b0-9b254eef4c47 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Logic Apps to Event Hub a1dae6c7-13f3-48ea-a149-ff8442661f60 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace b889a06c-ec72-4b03-910a-cb169ee18721 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Search Services to Event Hub 3d5da587-71bd-41f5-ac95-dd3330c2d58d Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Search Services to Log Analytics workspace 08ba64b8-738f-4918-9686-730d2ed79c7d Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Service Bus to Event Hub 6b51af03-9277-49a9-a3f8-1c69c9ff7403 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace 04d53d87-841c-4f23-8a5b-21564380b55e Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deploy Diagnostic Settings for Stream Analytics to Event Hub edf3780c-3d70-40fe-b17e-ab72013dafca Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 Monitoring Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Log Analytics Contributor, Monitoring Contributor GA
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Disconnections should be logged for PostgreSQL database servers. eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. 6df2fee6-a9ed-4fef-bced-e13be1b25f1c Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Enforce SSL connection should be enabled for MySQL database servers e802a67a-daf5-4436-9ea6-f6d821dd0c5d SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Enforce SSL connection should be enabled for PostgreSQL database servers d158790f-bfb0-486c-8631-2dc6b4e8e6af SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Event Hub namespaces should use a customer-managed key for encryption a1ad735a-e96f-45d2-a7b2-9a4932cab7ec Event Hub Default
Audit
Allowed
Audit, Disabled
0 GA
Event Hub should use a virtual network service endpoint d63edb4a-c612-454d-b47d-191a724fcbf0 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with read permissions should be removed from your subscription 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Flow logs should be configured for every network security group c251913d-7d24-4958-af87-478ed3b9ba41 Network Default
Audit
Allowed
Audit, Disabled
0 GA
Flow logs should be enabled for every network security group 27960feb-a23c-4577-8d36-ef8b5f35e0be Network Default
Audit
Allowed
Audit, Disabled
0 GA
Function apps should have authentication enabled c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should have 'Client Certificates (Incoming client certificates)' enabled eaebaea7-8013-4ceb-9d14-7eb32271373c App Service Default
Audit
Allowed
Audit, Disabled
0 GA
Function apps should have remote debugging turned off 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should not have CORS configured to allow every resource to access your apps 0820b7b9-23aa-4725-a1ce-ae4558f718e5 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Function apps should require FTPS only 399b2637-a50f-4f95-96f8-3a145476eb15 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should use latest 'HTTP Version' e2c1c086-2d84-4019-bff3-c44ccd95113c App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should use managed identity 0da106f2-4ca3-48e8-bc85-c638fe6aea8f App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps that use Java should use the latest 'Java version' 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps that use Python should use the latest 'Python version' 7238174a-fd10-4ef0-817e-fc820a951d73 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MariaDB 0ec47710-77ff-4a3d-9181-6aa50af424d0 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MySQL 82339799-d096-41ae-8538-b108becf0970 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL 48af4db5-9b8b-401c-8e74-076be876a430 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant storage should be enabled for Storage Accounts bf045164-79ba-4215-8f95-f8048dc1780b Storage Default
Audit
Allowed
Audit, Disabled
0 GA
Guest Configuration extension should be installed on your machines ae89ebca-1c92-4898-ac2c-9f63decb045c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
HPC Cache accounts should use customer-managed key for encryption 970f84d8-71b6-4091-9979-ace7e3fb6dbb Storage Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Infrastructure encryption should be enabled for Azure Database for MySQL servers 3a58212a-c829-4f13-9872-6371df2fd0b4 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers 24fba194-95d6-48c0-aea7-f65bf859c598 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
IP Forwarding on your virtual machine should be disabled bd352bd5-2853-4985-bf0d-73806b4a5744 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Key Vault should use a virtual network service endpoint ea4d6841-2173-4317-9747-ff522a45120f Network Default
Audit
Allowed
Audit, Disabled
0 GA
Key vaults should have purge protection enabled 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Key vaults should have soft delete enabled 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster containers should run with a read only root file system df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster services should listen only on allowed ports 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster services should only use allowed external IPs d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster should not allow privileged containers 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version fb893a29-21bb-418c-a157-e99480ec364c Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring a4fe33eb-e377-4efb-ab31-0784311bc499 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring a3a6ea0c-e018-4933-9ef0-5aaa1501449b Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log checkpoints should be enabled for PostgreSQL database servers eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log connections should be enabled for PostgreSQL database servers eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log duration should be enabled for PostgreSQL database servers eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Long-term geo-redundant backup should be enabled for Azure SQL Databases d38fc420-0735-4ef3-ac11-c806f651a570 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Managed disks should disable public network access 8405fdab-1faf-48aa-b702-999c9c172094 Compute Default
Audit
Allowed
Audit, Disabled
0 GA
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption d461a302-a187-421a-89ac-84acdb4edc04 Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Management ports should be closed on your virtual machines 22730e10-96f6-4aac-ad84-9383d35b5917 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MariaDB server should use a virtual network service endpoint dfbd9a64-6114-48de-a47d-90574dc2e489 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled for accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures c43e4a30-77cb-48ab-a4dd-93f175c63b57 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft Defender for Containers should be enabled 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Modify - Configure Azure File Sync to disable public network access 0e07b2e9-6cd9-4c40-9ccb-52817b95133b Storage Default
Modify
Allowed
Modify, Disabled
1 Contributor GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MySQL server should use a virtual network service endpoint 3375856c-3824-4e0e-ae6a-79e011dd4c47 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Non-internet-facing virtual machines should be protected with network security groups bb91dfba-c30d-4263-9add-9c2384e659a6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Not allowed resource types 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 General Default
Deny
Allowed
Audit, Deny, Disabled
0 GA
Only approved VM extensions should be installed c0e996f8-39cf-4af9-9f45-83fbde810432 Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
OS and data disks should be encrypted with a customer-managed key 702dd420-7fcc-42c5-afe8-4026edd20fe0 Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
PostgreSQL server should use a virtual network service endpoint 3c14b034-bcb6-4905-94e7-5b8e98a47b65 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest 18adea5e-f416-4d0f-8aa8-d24321e3e274 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Private endpoint connections on Azure SQL Database should be enabled 7698e800-9299-47a6-b3b6-5a0fee576eed SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Private endpoint should be enabled for MariaDB servers 0a1302fb-a631-4106-9753-f3d494733990 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Private endpoint should be enabled for MySQL servers 7595c971-233d-4bcf-bd18-596129188c49 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Private endpoint should be enabled for PostgreSQL servers 0564d078-92f5-4f97-8398-b9f58a51f70b SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for Container registries 0fdf0491-d080-4575-b627-ad0e843cba0f Container Registry Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MariaDB servers fdccbe47-f3e3-4213-ad5d-ea459b2fa077 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MySQL flexible servers c9299215-ae47-4f50-9c54-8a392f68a052 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MySQL servers d9844e8a-1437-4aeb-a32c-0c992f056095 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for PostgreSQL flexible servers 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for PostgreSQL servers b52376f7-9612-48a1-81cd-1ffe4b61032c SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Resource logs in Azure Key Vault Managed HSM should be enabled a2a5b911-5617-447e-a49e-59dbe0e0434b Key Vault Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Resource logs in Event Hub should be enabled 83a214f7-d01a-484b-91a9-ed54470c9a6a Event Hub Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Resource logs in Key Vault should be enabled cf820ca0-f99e-4f3e-84fb-66e913812d21 Key Vault Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Resource logs in Virtual Machine Scale Sets should be enabled 7c1b1214-f927-48bf-8882-84f0af6588b1 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Role-Based Access Control (RBAC) should be used on Kubernetes Services ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption fa298e57-9444-42ba-bf04-86e8470e32c7 Monitoring Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL Auditing settings should have Action-Groups configured to capture critical activities 7ff426e2-515f-405a-91c8-4f2333442eb5 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
SQL Database should avoid using GRS backup redundancy b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 SQL Default
Deny
Allowed
Deny, Disabled
0 GA
SQL Managed Instance should have the minimal TLS version of 1.2 a8793640-60f7-487c-b5c3-1d37215905c4 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
SQL Managed Instances should avoid using GRS backup redundancy a9934fd7-29f2-4e6d-ab3d-607ea38e9079 SQL Default
Deny
Allowed
Deny, Disabled
0 GA
SQL managed instances should use customer-managed keys to encrypt data at rest ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL Server should use a virtual network service endpoint ae5d2f14-d830-42b6-9899-df6cfe9c71a3 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
SQL servers should use customer-managed keys to encrypt data at rest 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage account containing the container with activity logs must be encrypted with BYOK fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Storage accounts should allow access from trusted Microsoft services c9d007d0-c057-4772-b18c-01e546713bcd Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should have infrastructure encryption 4733ea7b-a883-42fe-8cac-97454c2a9e4a Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage Accounts should use a virtual network service endpoint 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 Network Default
Audit
Allowed
Audit, Disabled
0 GA
Storage accounts should use customer-managed key for encryption 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage Default
Audit
Allowed
Audit, Disabled
0 GA
Subnets should be associated with a Network Security Group e71308d3-144b-4262-b144-efdc3cc90517 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets efbde977-ba53-4479-b8e9-10b957924fbf Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines and virtual machine scale sets should have encryption at host enabled fc4d8e41-e223-45ea-9bf5-eada37891d87 Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity d26f7642-7545-4e18-9b75-8c9bbdee3a9a Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should be connected to an approved virtual network d416745a-506c-48b6-8ab1-83cb814bcaa3 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Virtual machines should be migrated to new Azure Resource Manager resources 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should have the Log Analytics extension installed a70ca396-0a34-413a-88e1-b956c1e683be Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet 77e8b146-0078-4fb2-b002-e112381199f0 SQL Fixed
AuditIfNotExists
0 GA
Virtual networks should use specified virtual network gateway f1776c76-f58c-4245-a8d0-2b207198dc8b Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service 425bea59-a659-4cbb-8d31-34499bd030b8 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Roles used Total Roles usage: 43
Total Roles unique usage: 8
Role Role Id Policies count Policies
Backup Contributor 5e467623-bb1f-42f4-a55d-6e525e11384b 1 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location
Monitoring Contributor 749f88d5-cbae-40b8-bcfc-e573ddc772fa 10 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace
Log Analytics Contributor 92aaf0da-9dab-42b6-94a3-d43ce8d16293 12 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets, Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines, Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace
SQL Server Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 2 Configure Azure SQL Server to disable public network access, Configure Azure SQL Server to enable private endpoint connections
Virtual Machine Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c 2 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location, Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets
Network Contributor 4d97b98b-1d4f-4787-a291-c67834d212e7 1 Configure Azure SQL Server to enable private endpoint connections
Security Admin fb1c8493-542b-48eb-b624-b4c8fea62acd 1 Deploy Advanced Threat Protection on storage accounts
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 14 Configure App Configuration to disable public network access, Configure Container registries to disable public network access, Configure managed disks to disable public network access, Deploy Diagnostic Settings for Batch Account to Event Hub, Deploy Diagnostic Settings for Data Lake Analytics to Event Hub, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub, Deploy Diagnostic Settings for Event Hub to Event Hub, Deploy Diagnostic Settings for Logic Apps to Event Hub, Deploy Diagnostic Settings for Search Services to Event Hub, Deploy Diagnostic Settings for Service Bus to Event Hub, Deploy Diagnostic Settings for Stream Analytics to Event Hub, Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace., Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace., Modify - Configure Azure File Sync to disable public network access
JSON