last sync: 2024-Mar-01 17:50:54 UTC

CMMC Level 3

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameCMMC Level 3
Idb5629c75-5c77-4422-87b9-2509e680f8de
Version11.4.0
Details on versioning
CategoryRegulatory Compliance
Microsoft Learn
DescriptionThis initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy count Total Policies: 160
Builtin Policies: 160
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall fc5e4038-4584-4632-8c85-c0448d374b2c Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 Preview
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images 32133ab0-ee4b-4b44-98d6-042180979d50 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 Preview
[Preview]: Storage account public access should be disallowed 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 Preview
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Accounts with owner permissions on Azure resources should be MFA enabled e3e008c3-56b9-4133-8fd7-d3347377402a Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Accounts with read permissions on Azure resources should be MFA enabled 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Accounts with write permissions on Azure resources should be MFA enabled 931e118d-50a1-4457-a5e4-78550e086c52 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Activity log should be retained for at least one year b02aacc0-b073-424e-8298-42b22829ee0a Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration Fixed
modify
1 Contributor GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration Fixed
modify
1 Contributor GA
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Allowlist rules in your adaptive application control policy should be updated 123a3936-f020-408a-ba0c-47873faf1534 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An activity log alert should exist for specific Administrative operations b954148f-4c11-4c38-8221-be76711e194a Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An activity log alert should exist for specific Policy operations c5447c04-a4d7-4ba8-a263-c9ee321a6858 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An activity log alert should exist for specific Security operations 3b980d31-7904-4bb7-8575-5665739a8052 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should have remote debugging turned off cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should have resource logs enabled 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should not have CORS configured to allow every resource to access your apps 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
App Service apps should use latest 'HTTP Version' 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit diagnostic setting for selected resource types 7f89b1eb-583c-429a-8828-af049802c1d9 Monitoring Fixed
AuditIfNotExists
0 GA
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Linux machines that do not have the passwd file permissions set to 0644 e6955644-301c-44b5-a4c4-528577de6861 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Linux machines that have accounts without passwords f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit usage of custom RBAC roles a451c1ef-c6ca-483d-87ed-f49761e3ffb5 General Default
Audit
Allowed
Audit, Disabled
0 GA
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Compute Fixed
auditIfNotExists
0 GA
Audit Windows machines missing any of specified members in the Administrators group 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Guest Configuration Fixed
auditIfNotExists
0 GA
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 5b054a0d-39e2-4d53-bea3-9734cad2c69b Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not have the password complexity setting enabled bf16e0bb-31e1-4646-8202-60a235cc7e74 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not restrict the minimum password length to specified number of characters a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that do not store passwords using reversible encryption da0f98fe-a24b-4ad5-af69-bd0400233661 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that have the specified members in the Administrators group 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Guest Configuration Fixed
auditIfNotExists
0 GA
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Automation account variables should be encrypted 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure AI Services resources should restrict network access 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure Ai Services Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure API for FHIR should use a customer-managed key to encrypt data at rest 051cba44-2429-45b9-9649-46cec11c7119 API for FHIR Default
Audit
Allowed
audit, Audit, disabled, Disabled
0 GA
Azure Backup should be enabled for Virtual Machines 013e242c-8828-4970-87b3-ab247555486d Backup Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Data Box jobs should enable double encryption for data at rest on the device c349d81b-9985-44ae-a8da-ff98d108ede8 Data Box Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure Data Explorer encryption at rest should use a customer-managed key 81e74cea-30fd-40d5-802f-d72103c2aaaa Azure Data Explorer Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure Defender for App Service should be enabled 2913021d-f2fd-4f3d-b958-22354e2bdbcb Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for Azure SQL Database servers should be enabled 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for Key Vault should be enabled 0e6763cc-5078-4e64-889d-ff4d9a839047 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for servers should be enabled 4da35fc9-c9e7-4960-aec9-797fe7d9051d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL servers on machines should be enabled 6581d072-105e-4418-827f-bd446d56421b Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Key Vault should have firewall enabled 55615ac9-af46-4a59-874e-391cc3dfb490 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1a4e592a-6a6e-44a5-9814-e36264ca96e7 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Monitor should collect activity logs from all regions 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure registry container images should have vulnerabilities resolved (powered by Qualys) 5f0f936f-2f01-4bf5-b6be-d423792fa562 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Azure Stream Analytics jobs should use customer-managed keys to encrypt data 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 Stream Analytics Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Azure subscriptions should have a log profile for Activity Log 7796937f-307b-4598-941c-67d3a05ebfe7 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest f7d52b2d-e161-4dfa-a82b-55e564167385 Synapse Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Azure Web Application Firewall should be enabled for Azure Front Door entry-points 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Blocked accounts with owner permissions on Azure resources should be removed 0cfea604-3201-4e14-88fc-fae4c427a6c5 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Blocked accounts with read and write permissions on Azure resources should be removed 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Certificates using RSA cryptography should have the specified minimum key size cee51871-e572-4576-855c-047c820360f0 Key Vault Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Cognitive Services accounts should disable public network access 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Cognitive Services accounts should enable data encryption with a customer-managed key 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Container registries should be encrypted with a customer-managed key 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container Registry Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Container registries should not allow unrestricted network access d0793b48-0edc-4296-a390-4c75d1bdfd71 Container Registry Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
CORS should not allow every domain to access your API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d API for FHIR Default
Audit
Allowed
audit, Audit, disabled, Disabled
0 GA
Deploy Advanced Threat Protection for Cosmos DB Accounts b5f04e03-92a3-4b09-9410-2cc5e5047656 Cosmos DB Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA
Deploy Defender for Storage (Classic) on storage accounts 361c2074-3595-4e5d-8cab-4f21dffc835c Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
Disk encryption should be enabled on Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Azure Data Explorer Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Double encryption should be enabled on Azure Data Explorer ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 Azure Data Explorer Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Enforce SSL connection should be enabled for MySQL database servers e802a67a-daf5-4436-9ea6-f6d821dd0c5d SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Enforce SSL connection should be enabled for PostgreSQL database servers d158790f-bfb0-486c-8631-2dc6b4e8e6af SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Flow logs should be configured for every network security group c251913d-7d24-4958-af87-478ed3b9ba41 Network Default
Audit
Allowed
Audit, Disabled
0 GA
Function apps should have remote debugging turned off 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should not have CORS configured to allow every resource to access your apps 0820b7b9-23aa-4725-a1ce-ae4558f718e5 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Function apps should use latest 'HTTP Version' e2c1c086-2d84-4019-bff3-c44ccd95113c App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MariaDB 0ec47710-77ff-4a3d-9181-6aa50af424d0 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for MySQL 82339799-d096-41ae-8538-b108becf0970 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL 48af4db5-9b8b-401c-8e74-076be876a430 SQL Default
Audit
Allowed
Audit, Disabled
0 GA
Guest accounts with owner permissions on Azure resources should be removed 339353f6-2387-4a45-abe4-7f529d121046 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Guest accounts with read permissions on Azure resources should be removed e9ac8f8e-ce22-4355-8f04-99b911d6be52 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Guest accounts with write permissions on Azure resources should be removed 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Guest Configuration extension should be installed on your machines ae89ebca-1c92-4898-ac2c-9f63decb045c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Infrastructure encryption should be enabled for Azure Database for MySQL servers 3a58212a-c829-4f13-9872-6371df2fd0b4 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers 24fba194-95d6-48c0-aea7-f65bf859c598 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Key Vault keys should have an expiration date 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Key vaults should have deletion protection enabled 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Key vaults should have soft delete enabled 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Keys should be the specified cryptographic type RSA or EC 75c4f823-d65c-4f29-a733-01d0077fdbcb Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Keys using elliptic curve cryptography should have the specified curve names ff25f3c8-b739-4538-9d07-3d6d25cfb255 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Keys using RSA cryptography should have a specified minimum key size 82067dbb-e53b-4e06-b631-546d197452d9 Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version fb893a29-21bb-418c-a157-e99480ec364c Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Linux machines should meet requirements for the Azure compute security baseline fc9b3da7-8347-4380-8e70-0a0361d8dedd Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Long-term geo-redundant backup should be enabled for Azure SQL Databases d38fc420-0735-4ef3-ac11-c806f651a570 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures c43e4a30-77cb-48ab-a4dd-93f175c63b57 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft Defender for Containers should be enabled 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft Defender for Storage should be enabled 640d2586-54d2-465f-877f-9ffc1d2109f4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257 Compute Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Non-internet-facing virtual machines should be protected with network security groups bb91dfba-c30d-4263-9add-9c2384e659a6 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb Cache Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MariaDB servers fdccbe47-f3e3-4213-ad5d-ea459b2fa077 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MySQL flexible servers c9299215-ae47-4f50-9c54-8a392f68a052 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for MySQL servers d9844e8a-1437-4aeb-a32c-0c992f056095 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for PostgreSQL flexible servers 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Public network access should be disabled for PostgreSQL servers b52376f7-9612-48a1-81cd-1ffe4b61032c SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Require encryption on Data Lake Store accounts a7ff3161-0087-490a-9ad9-ad6217f4f43a Data Lake Fixed
deny
0 GA
Resource logs in IoT Hub should be enabled 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Internet of Things Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Security Center standard pricing tier should be selected a1181c5f-672a-477a-979a-7d58aa086233 Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 617c02be-7f02-4efd-8836-3180d47b6c68 Service Fabric Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
SQL managed instances should use customer-managed keys to encrypt data at rest ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL servers should use customer-managed keys to encrypt data at rest 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should allow access from trusted Microsoft services c9d007d0-c057-4772-b18c-01e546713bcd Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should have infrastructure encryption 4733ea7b-a883-42fe-8cac-97454c2a9e4a Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should use customer-managed key for encryption 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage Default
Audit
Allowed
Audit, Disabled
0 GA
Subnets should be associated with a Network Security Group e71308d3-144b-4262-b144-efdc3cc90517 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets efbde977-ba53-4479-b8e9-10b957924fbf Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity d26f7642-7545-4e18-9b75-8c9bbdee3a9a Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should be connected to a specified workspace f47b5582-33ec-4c5c-87c0-b010a6b2e917 Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should have the Log Analytics extension installed a70ca396-0a34-413a-88e1-b956c1e683be Monitoring Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Web Application Firewall (WAF) should use the specified mode for Application Gateway 12430be1-6cc8-4527-a9a8-e3d38f250096 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service 425bea59-a659-4cbb-8d31-34499bd030b8 Network Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Windows machines should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Network Access' 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Network Security' 1221c620-d201-468c-81e7-2817e6107e84 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - User Account Control' 492a29ed-d143-4f03-b6a4-705ce081b463 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'System Audit Policies - Policy Change' 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 87845465-c458-45f3-af66-dcd62176f397 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'User Rights Assignment' e068b215-0026-4354-b347-8fb2766f73a2 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Roles used Total Roles usage: 6
Total Roles unique usage: 2
Role Role Id Policies count Policies
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 4 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Security Admin fb1c8493-542b-48eb-b624-b4c8fea62acd 2 Deploy Advanced Threat Protection for Cosmos DB Accounts, Deploy Defender for Storage (Classic) on storage accounts
History
Date/Time (UTC ymd) (i) Changes
2023-12-07 18:54:02 add Policy Microsoft Defender for Storage should be enabled (640d2586-54d2-465f-877f-9ffc1d2109f4)
Version change: '11.3.1' to '11.4.0'
remove Policy [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
2023-12-01 19:16:58 Version change: '11.3.0' to '11.3.1'
2023-05-04 17:45:12 add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046)
add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5)
add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be)
add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
Version change: '11.1.0' to '11.3.0'
remove Policy App Service apps that use PHP should use a specified 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3)
remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9)
remove Policy Function apps that use Python should use a specified 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474)
remove Policy App Service apps that use Java should use a specified 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
remove Policy [Deprecated]: External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60)
remove Policy App Service apps that use Python should use a specified 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
remove Policy Function apps that use Java should use a specified 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
2023-01-19 18:07:18 Version change: '11.0.0' to '11.1.0'
remove Policy [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports (057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9)
2022-07-07 16:32:14 Version change: '10.0.0' to '11.0.0'
remove Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac)
remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
remove Policy [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app (991310cd-e9f3-47bc-b7b6-f57b557d07db)
remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)
remove Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
2022-06-10 16:31:22 Version change: '8.1.0' to '10.0.0'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-01-13 19:18:29 add Policy Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38)
add Policy App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510)
remove Policy [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a)
remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)
remove Policy [Deprecated]: Unattached disks should be encrypted (2c89a2e5-7285-40fe-afe0-ae8654b92fb2)
remove Policy [Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
2021-12-08 16:24:23 add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2)
remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd)
2021-11-15 17:00:50 Name change: '[Preview]: CMMC Level 3' to 'CMMC Level 3'
2021-09-30 16:01:51 remove Policy [Deprecated]: SSH access from the Internet should be blocked (2c89a2e5-7285-40fe-afe0-ae8654b92fab)
remove Policy [Deprecated]: RDP access from the Internet should be blocked (e372f825-a257-4fb8-9175-797a8a8627d6)
2021-04-21 13:28:48 remove Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7)
2021-02-17 14:28:42 remove Policy Audit Windows machines that have extra accounts in the Administrators group (3d2a3320-2a72-4c67-ac5f-caa40fbee2b2)
remove Policy Audit Windows machines that are not set to the specified time zone (c633f6a2-7f8b-4d9e-9456-02f0f04f5505)
2021-02-03 15:09:01 remove Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2021-01-22 09:14:56 add Initiative b5629c75-5c77-4422-87b9-2509e680f8de
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC