| Policy DisplayName |
Policy Id |
Category |
Effect |
State |
Type |
| API App should only be accessible over HTTPS |
Deny-AppServiceApiApp-http |
App Service |
Default: Deny
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| AppService append enable https only setting to enforce https setting. |
Append-AppService-httpsonly |
App Service |
Default: Append
Allowed: (Append, Disabled) |
GA |
ALZ |
| AppService append sites with minimum TLS version to enforce. |
Append-AppService-latestTLS |
App Service |
Default: Append
Allowed: (Append, Disabled) |
GA |
ALZ |
| Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. |
Append-Redis-sslEnforcement |
Cache |
Default: Append
Allowed: (Append, Disabled) |
GA |
ALZ |
| Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. |
Append-Redis-disableNonSslPort |
Cache |
Default: Append
Allowed: (Append, Disabled, Modify) |
GA |
ALZ |
| Azure Cache for Redis only secure connections should be enabled |
Deny-Redis-http |
Cache |
Default: Deny
Allowed: (Audit, Deny, Disabled) |
GA |
ALZ |
| Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. |
Deploy-MySQL-sslEnforcement |
SQL |
Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled) |
GA |
ALZ |
| Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL |
Deploy-PostgreSQL-sslEnforcement |
SQL |
Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled) |
GA |
ALZ |
| Azure SQL Database should have the minimal TLS version set to the highest version |
Deny-Sql-minTLS |
SQL |
Default: Audit
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS |
Deploy-Storage-sslEnforcement |
Storage |
Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled) |
GA |
ALZ |
| Function App should only be accessible over HTTPS |
Deny-AppServiceFunctionApp-http |
App Service |
Default: Deny
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| Kubernetes clusters should be accessible only over HTTPS |
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d |
Kubernetes |
Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
GA |
BuiltIn |
| Latest TLS version should be used in your API App |
8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e |
App Service |
Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled) |
GA |
BuiltIn |
| Latest TLS version should be used in your Function App |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled) |
GA |
BuiltIn |
| Latest TLS version should be used in your Web App |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled) |
GA |
BuiltIn |
| MySQL database servers enforce SSL connections. |
Deny-MySql-http |
SQL |
Default: Deny
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| PostgreSQL database servers enforce SSL connection. |
Deny-PostgreSql-http |
SQL |
Default: Deny
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| SQL Managed Instance should have the minimal TLS version set to the highest version |
Deny-SqlMi-minTLS |
SQL |
Default: Audit
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |
| SQL managed instances deploy a specific min TLS version requirement. |
Deploy-SqlMi-minTLS |
SQL |
Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled) |
GA |
ALZ |
| SQL servers deploys a specific min TLS version requirement. |
Deploy-SQL-minTLS |
SQL |
Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled) |
GA |
ALZ |
| Storage Account set to minimum TLS and Secure transfer should be enabled |
Deny-Storage-minTLS |
Storage |
Default: Deny
Allowed: (Audit, Deny, Disabled) |
GA |
ALZ |
| Web Application should only be accessible over HTTPS |
Deny-AppServiceWebApp-http |
App Service |
Default: Deny
Allowed: (Audit, Disabled, Deny) |
GA |
ALZ |