| Policy DisplayName |
Policy Id |
Category |
Effect |
Roles# |
Roles |
State |
Type |
| API App should only be accessible over HTTPS |
Deny-AppServiceApiApp-http |
App Service |
Default
Deny
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| App Service apps should use the latest TLS version |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
BuiltIn |
| AppService append enable https only setting to enforce https setting. |
Append-AppService-httpsonly |
App Service |
Default
Append
Allowed
Append, Disabled |
0 |
|
GA |
ALZ |
| AppService append sites with minimum TLS version to enforce. |
Append-AppService-latestTLS |
App Service |
Default
Append
Allowed
Append, Disabled |
0 |
|
GA |
ALZ |
| Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. |
Append-Redis-sslEnforcement |
Cache |
Default
Append
Allowed
Append, Disabled |
0 |
|
GA |
ALZ |
| Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. |
Append-Redis-disableNonSslPort |
Cache |
Default
Append
Allowed
Append, Disabled |
0 |
|
GA |
ALZ |
| Azure Cache for Redis only secure connections should be enabled |
Deny-Redis-http |
Cache |
Default
Deny
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
ALZ |
| Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. |
Deploy-MySQL-sslEnforcement |
SQL |
Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
ALZ |
| Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL |
Deploy-PostgreSQL-sslEnforcement |
SQL |
Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled |
1 |
Contributor |
GA |
ALZ |
| Azure SQL Database should have the minimal TLS version set to the highest version |
Deny-Sql-minTLS |
SQL |
Default
Audit
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS |
Deploy-Storage-sslEnforcement |
Storage |
Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled |
1 |
Storage Account Contributor |
GA |
ALZ |
| Function App should only be accessible over HTTPS |
Deny-AppServiceFunctionApp-http |
App Service |
Default
Deny
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| Function apps should use the latest TLS version |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
BuiltIn |
| Kubernetes clusters should be accessible only over HTTPS |
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d |
Kubernetes |
Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
BuiltIn |
| MySQL database servers enforce SSL connections. |
Deny-MySql-http |
SQL |
Default
Deny
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| PostgreSQL database servers enforce SSL connection. |
Deny-PostgreSql-http |
SQL |
Default
Deny
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| SQL Managed Instance should have the minimal TLS version set to the highest version |
Deny-SqlMi-minTLS |
SQL |
Default
Audit
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |
| SQL managed instances deploy a specific min TLS version requirement. |
Deploy-SqlMi-minTLS |
SQL |
Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled |
1 |
SQL Managed Instance Contributor |
GA |
ALZ |
| SQL servers deploys a specific min TLS version requirement. |
Deploy-SQL-minTLS |
SQL |
Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled |
1 |
SQL Server Contributor |
GA |
ALZ |
| Storage Account set to minimum TLS and Secure transfer should be enabled |
Deny-Storage-minTLS |
Storage |
Default
Deny
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
ALZ |
| Web Application should only be accessible over HTTPS |
Deny-AppServiceWebApp-http |
App Service |
Default
Deny
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
ALZ |