AzInitiativeAdvertizer

last sync: 2025-Oct-23 17:22:49 UTC

[Preview]: Microsoft cloud security benchmark v2

Azure BuiltIn Policy Initiative (PolicySet)

Source

Display name

[Preview]: Microsoft cloud security benchmark v2

Id

e3ec7e09-768c-4b64-882c-fcada3772047

Version

1.0.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]

Category

Security Center
Microsoft Learn

Description

The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.

Cloud environments

AzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = unknown

Available in AzUSGov

Unknown, no evidence if PolicySet definition is/not available in AzureUSGovernment

Type

BuiltIn

Deprecated

False

Preview

true

Policy-used summary

Policy types	Policy states	Policy categories
Total Policies: 416 Builtin Policies: 416 Static Policies: 0	GA: 387 Preview: 31	69 categories: API for FHIR: 2 API Management: 9 App Configuration: 3 App Platform: 1 App Service: 34 Attestation: 1 Automanage: 1 Automation: 4 Azure Ai Services: 5 Azure Arc: 4 Azure Data Explorer: 6 Azure Databricks: 6 Azure Edge Hardware Center: 1 Azure Load Testing: 1 Azure Purview: 1 Azure Stack Edge: 1 Azure Update Manager: 1 Backup: 5 Batch: 4 Bot Service: 4 Cache: 5 CDN: 2 Cognitive Services: 2 Communication: 1 Compute: 7 Container Apps: 2 Container Instance: 1 Container Registry: 6 Cosmos DB: 6 Data Box: 2 Data Factory: 4 Data Lake: 2 Desktop Virtualization: 4 ElasticSan: 2 Event Grid: 7 Event Hub: 5 Fluid Relay: 1 General: 2 Guest Configuration: 7 HDInsight: 4 Health Bot: 1 Health Data Services workspace: 1 Health Deidentification Service: 2 Healthcare APIs: 2 Internet of Things: 9 Key Vault: 20 Kubernetes: 24 Logic Apps: 2 Machine Learning: 12 Managed Grafana: 2 Managed Identity: 3 Mobile Network: 1 Monitoring: 13 Network: 7 PostgreSQL: 2 Search: 3 Security Center: 54 Service Bus: 5 Service Fabric: 2 SignalR: 3 Site Recovery: 1 SQL: 41 SQL Managed Instance: 2 Stack HCI: 4 Storage: 24 Stream Analytics: 3 Synapse: 5 VM Image Builder: 1 Web PubSub: 3

Policy-used

Policy DisplayName	Policy Id	Category	Version	Versioning	Effect	Roles#	Roles	State	policy in AzUSGov
[Preview]: A managed identity should be enabled on your machines	e4953962-5ae4-43eb-bb92-d66fd5563487	Automanage	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	fc5e4038-4584-4632-8c85-c0448d374b2c	Network	3.0.0-preview	1x 3.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	unknown
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed	8dfab9c4-fe7b-49ad-85e4-1e9be085358f	Kubernetes	6.0.0-preview	1x 6.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Azure Key Vault Managed HSM should disable public network access	19ea9d63-adee-4431-a95e-1913c6c1c75f	Key Vault	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Deny, Disabled	0		Preview	unknown
[Preview]: Azure Key Vault Managed HSM should use private link	59fee2f4-d439-4f1b-9b9a-982e1474bfd8	Key Vault	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: Azure Machine Learning Deployments should only use approved Registry Models	12e5dd16-d201-47ff-849b-8454061c293d	Machine Learning	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Deny, Disabled	0		Preview	unknown
[Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry	19539b54-c61e-4196-9a38-67598701be90	Machine Learning	1.0.0-preview	1x 1.0.0-preview	Fixed [parameters('effect')]	0		Preview	unknown
[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled	fa498b91-8a7e-4710-9578-da944c68d1fe	SQL	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	true
[Preview]: Azure Recovery Services vaults should use private link for backup	deeddb44-9f94-4903-9fa0-081d524406e3	Backup	2.0.0-preview	1x 2.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: Azure Stack HCI servers should have consistently enforced application control policies	dad3a6b9-4451-492f-a95c-69efc6f3fada	Stack HCI	1.0.0-preview	1x 1.0.0-preview	Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists	0		Preview	unknown
[Preview]: Azure Stack HCI servers should meet Secured-core requirements	5e6bf724-0154-49bc-985f-27b2e07e636b	Stack HCI	1.0.0-preview	1x 1.0.0-preview	Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists	0		Preview	unknown
[Preview]: Azure Stack HCI systems should have encrypted volumes	ee8ca833-1583-4d24-837e-96c2af9488a4	Stack HCI	1.0.0-preview	1x 1.0.0-preview	Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists	0		Preview	unknown
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines	672fe5a1-2fcd-42d7-b85d-902b6e28c6ff	Security Center	6.0.0-preview	1x 6.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets	a21f8c92-9e22-4f09-b759-50500d1d2dda	Security Center	5.1.0-preview	1x 5.1.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines	1cb4d9c2-f88f-4069-bee0-dba239a57b09	Security Center	4.0.0-preview	1x 4.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets	f655e522-adff-494d-95c2-52d4f6d56a42	Security Center	3.1.0-preview	1x 3.1.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Host and VM networking should be protected on Azure Stack HCI systems	36f0d6bc-a253-4df8-b25b-c3a5023ff443	Stack HCI	1.0.0-preview	1x 1.0.0-preview	Default AuditIfNotExists Allowed Audit, Disabled, AuditIfNotExists	0		Preview	unknown
[Preview]: Immutability must be enabled for backup vaults	2514263b-bc0d-4b06-ac3e-f262c0979018	Backup	1.0.1-preview	2x 1.0.1-preview, 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: Immutability must be enabled for Recovery Services vaults	d6f6f560-14b7-49a4-9fc8-d2c3a9807868	Backup	1.0.1-preview	2x 1.0.1-preview, 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: Linux virtual machines should use only signed and trusted boot components	13a6c84f-49a5-410a-b5df-5b880c3fe009	Security Center	1.0.0-preview	1x 1.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	unknown
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	842c54e8-c2f9-4d79-ae8d-38d8b8019373	Monitoring	1.0.1-preview	1x 1.0.1-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	unknown
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e	Monitoring	1.0.1-preview	1x 1.0.1-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	unknown
[Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources	ae62c456-33de-4dc8-b100-7ce9028a7d99	Managed Identity	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled, Deny	0		Preview	unknown
[Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners	fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f	Managed Identity	1.0.1-preview	1x 1.0.1-preview	Default Audit Allowed Audit, Disabled, Deny	0		Preview	unknown
[Preview]: Managed Identity Federated Credentials should be from allowed issuer types	2571b7c3-3056-4a61-b00a-9bc5232234f5	Managed Identity	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled, Deny	0		Preview	unknown
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	04c4380f-3fae-46e8-96c9-30193528f602	Monitoring	1.0.2-preview	1x 1.0.2-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	2f2ee1de-44aa-4762-b6bd-0893fc3f306d	Monitoring	1.0.2-preview	1x 1.0.2-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview	true
[Preview]: Recovery Services vaults should use private link	11e3da8c-1d68-4392-badd-0ff3c43ab5b0	Site Recovery	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: Secure Boot should be enabled on supported Windows virtual machines	97566dd7-78ae-4997-8b36-1c7bfe0d8121	Security Center	4.0.0-preview	1x 4.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	true
[Preview]: Soft delete should be enabled for Backup Vaults	9798d31d-6028-4dee-8643-46102185c016	Backup	1.0.0-preview	1x 1.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	unknown
[Preview]: vTPM should be enabled on supported virtual machines	1c30f9cd-b84c-49cc-aa2c-9288447cc3b3	Security Center	2.0.0-preview	1x 2.0.0-preview	Default Audit Allowed Audit, Disabled	0		Preview	true
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
A Microsoft Entra administrator should be provisioned for MySQL servers	146412e9-005c-472b-9e48-c87b72ac229e	SQL	1.1.1	2x 1.1.1, 1.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
A Microsoft Entra administrator should be provisioned for PostgreSQL servers	b4dec045-250a-48c2-b5cc-e0c4eec8b5b4	SQL	1.0.1	2x 1.0.1, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
API endpoints in Azure API Management should be authenticated	8ac833bd-f505-48d5-887e-c993a1d3eea0	Security Center	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
API endpoints that are unused should be disabled and removed from the Azure API Management service	c8acafaf-3d23-44d1-9624-978ef0f8652c	Security Center	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
API Management APIs should use only encrypted protocols	ee7495e7-3ba7-40b6-bfee-c29e22cc75d4	API Management	2.0.2	1x 2.0.2	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
API Management calls to API backends should be authenticated	c15dcc82-b93c-4dcb-9332-fbf121685b54	API Management	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
API Management calls to API backends should not bypass certificate thumbprint or name validation	92bb331d-ac71-416a-8c91-02f2cb734ce4	API Management	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
API Management direct management endpoint should not be enabled	b741306c-968e-4b67-b916-5675e5c709f4	API Management	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
API Management secret named values should be stored in Azure Key Vault	f1cc7827-022c-473e-836e-5a51cae0b249	API Management	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
API Management services should use a virtual network	ef619a2c-cc4d-4d03-b2ba-8c94a834d85b	API Management	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
API Management should disable public network access to the service configuration endpoints	df73bd95-24da-4a4f-96b9-4e8b94b402bd	API Management	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
API Management subscriptions should not be scoped to all APIs	3aa03346-d8c5-4994-a5bc-7652c2a2aef1	API Management	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
App Configuration should disable public network access	3d9f5e4c-9947-4579-9539-2a7695fbc187	App Configuration	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Configuration should use a SKU that supports private link	89c8a434-18f0-402c-8147-630a8dea54e0	App Configuration	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Configuration should use private link	ca610c1d-041c-4332-9d88-7ed3094967c7	App Configuration	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service app slots should disable public network access	701a595d-38fb-4a66-ae6d-fb3735217622	App Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
App Service app slots should enable end to end encryption	123aed70-491a-4f07-a569-e1f3a8dd651e	App Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Service app slots should use managed identity	4a15c15f-90d5-4a1f-8b63-2903944963fd	App Service	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service app slots should use the latest TLS version	4ee5b817-627a-435a-8932-116193268172	App Service	1.2.0	3x 1.2.0, 1.1.0, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should disable public network access	1b5ef780-c53c-4a64-87f3-bb9c8c8094ba	App Service	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
App Service apps should enable end to end encryption	af1d7e88-c1c8-4ea8-be1f-87bff0df9101	App Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Service apps should have Client Certificates (Incoming client certificates) enabled	19dd1db6-f442-49cf-a838-b0786b4401ef	App Service	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should have local authentication methods disabled for FTP deployments	871b205b-57cf-4e1e-a234-492616998bf7	App Service	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should have local authentication methods disabled for SCM site deployments	aede300b-d67f-480a-ae26-4b3dfb1a1fdc	App Service	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should have resource logs enabled	91a78b24-f231-4a8a-8da9-02c35b2b6510	App Service	2.0.1	1x 2.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should not have CORS configured to allow every resource to access your apps	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	4.0.0	1x 4.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
App Service apps should require FTPS only	4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b	App Service	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should use a SKU that supports private link	546fe8d2-368d-4029-a418-6af48a7f61e5	App Service	4.3.0	3x 4.3.0, 4.2.0, 4.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Service apps should use managed identity	2b9ad585-36bc-4615-b300-fd4435808332	App Service	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service apps should use private link	687aa49d-0982-40f8-bf6b-66d1da97a04b	App Service	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
App Service apps should use the latest TLS version	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	2.2.0	3x 2.2.0, 2.1.0, 2.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
App Service Environment apps should not be reachable over public internet	2d048aca-6479-4923-88f5-e2ac295d9af3	App Service	3.0.0	1x 3.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
App Service Environment should be configured with strongest TLS Cipher suites	817dcf37-e83d-4999-a472-644eada2ea1e	App Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
App Service Environment should have internal encryption enabled	fb74e86f-d351-4b8d-b034-93da7391c01f	App Service	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
App Service Environment should have TLS 1.0 and 1.1 disabled	d6545c6b-dd9d-4265-91e6-0b451e2f1c50	App Service	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Application Insights components should block log ingestion and querying from public networks	1bc02227-0cb6-4e11-8f53-eb0b22eab7e8	Monitoring	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	unknown
Application Insights components should block non-Azure Active Directory based ingestion.	199d5677-e4d9-4264-9465-efe1839c06bd	Monitoring	1.0.0	1x 1.0.0	Default Audit Allowed Deny, Audit, Disabled	0		GA	unknown
Audit usage of custom RBAC roles	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Authentication to Linux machines should require SSH keys	630c64f9-8b6b-4c64-b511-6544ceff6fd6	Guest Configuration	3.2.0	2x 3.2.0, 3.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Authorized IP ranges should be defined on Kubernetes Services	0e246bcf-5f6f-4f87-bc6f-775d4712c7ea	Security Center	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Automation Account should have Managed Identity	dea83a72-443c-4292-83d5-54a2f98749c0	Automation	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Automation accounts should disable public network access	955a914f-bf86-4f0e-acd5-e0766b0efcb6	Automation	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure AI Search service should use a SKU that supports private link	a049bf77-880b-470f-ba6d-9f21c530cf83	Search	1.0.1	2x 1.0.1, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure AI Search services should disable public network access	ee980b6d-0eca-4501-8d54-f6290fd512c3	Search	1.0.1	2x 1.0.1, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)	67121cc7-ff39-4ab8-b7e3-95b84dab487d	Cognitive Services	2.2.0	2x 2.2.0, 2.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure AI Services resources should have key access disabled (disable local authentication)	71ef260a-8f18-47b7-abcb-62d0673d94dc	Azure Ai Services	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure AI Services resources should restrict network access	037eea7a-bd0a-46c5-9a66-03aea78705d3	Azure Ai Services	3.3.0	4x 3.3.0, 3.2.0, 3.1.0, 3.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure AI Services resources should use Azure Private Link	d6759c02-b87f-42b7-892e-71b3f471d782	Azure Ai Services	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Azure API for FHIR should use a customer-managed key to encrypt data at rest	051cba44-2429-45b9-9649-46cec11c7119	API for FHIR	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, disabled, Disabled	0		GA	unknown
Azure API for FHIR should use private link	1ee56206-5dd1-42ab-b02d-8aae8b1634ce	API for FHIR	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure API Management platform version should be stv2	1dc2fc00-2245-4143-99f4-874c937f13ef	API Management	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed	6b2122c1-8120-4ff5-801b-17625a355590	Kubernetes	1.1.0	1x 1.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Arc Private Link Scopes should be configured with a private endpoint	7eab1da3-2bf0-4ff0-8303-1a4277c380e8	Azure Arc	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Arc Private Link Scopes should disable public network access	898f2439-3333-4713-af25-f1d78bc50556	Azure Arc	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope	12e7176a-4919-47ef-922b-34eda4c7f0ce	Azure Arc	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope	efa3f296-ff2b-4f38-bc0d-5ef12c965b68	Azure Arc	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Attestation providers should disable public network access	5e7e928c-8693-4a23-9bf3-1c77b9a8fe97	Attestation	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Automation accounts should use customer-managed keys to encrypt data at rest	56a5ee18-2ae6-4810-86f7-18e39ce5629b	Automation	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Backup should be enabled for Virtual Machines	013e242c-8828-4970-87b3-ab247555486d	Backup	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Batch account should use customer-managed keys to encrypt data	99e9ccd8-3db9-4592-b0d1-14b1715a4d8a	Batch	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Batch pools should have disk encryption enabled	1760f9d4-7206-436e-a28f-d9f3a5c8a227	Batch	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data	09aa11bb-87ec-409f-bf0b-49b7c1561a87	Cache	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Cache for Redis Enterprise should use private link	960e650e-9ce3-4316-9590-8ee2c016ca2f	Cache	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Cache for Redis should disable public network access	470baccb-7e51-4549-8b1a-3e5be069f663	Cache	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Cache for Redis should use private link	7803067c-7d34-46e3-8c79-0ca68fc4036d	Cache	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Container Instance container group should use customer-managed key for encryption	0aa61e00-0a01-4a3c-9945-e93cffedf0e6	Container Instance	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
Azure Cosmos DB accounts should have firewall rules	862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb	Cosmos DB	2.1.0	2x 2.1.0, 2.0.0	Default Deny Allowed Audit, Deny, Disabled	0		GA	true
Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration.	9d83ccb1-f313-46ce-9d39-a198bfdb51a0	Cosmos DB	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest	1f905d99-2ab7-462c-a6b0-f709acca6c8f	Cosmos DB	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Azure Cosmos DB should disable public network access	797b37f7-06b8-444c-b1ad-fc62867f335a	Cosmos DB	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Data Box jobs should enable double encryption for data at rest on the device	c349d81b-9985-44ae-a8da-ff98d108ede8	Data Box	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password	86efb160-8de7-451d-bc08-5d475b0aadae	Data Box	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Data Explorer cluster should use private link	f7735886-8927-431f-b201-c953922512b8	Azure Data Explorer	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Data Explorer encryption at rest should use a customer-managed key	81e74cea-30fd-40d5-802f-d72103c2aaaa	Azure Data Explorer	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Data Explorer should use a SKU that supports private link	1fec9658-933f-4b3e-bc95-913ed22d012b	Azure Data Explorer	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure data factories should be encrypted with a customer-managed key	4ec52d6d-beb7-40c4-9a9e-fe753254690e	Data Factory	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported	f78ccdb4-7bf4-4106-8647-270491d2978a	Data Factory	2.1.0	1x 2.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Data Factory should use private link	8b0323be-cc25-4b61-935d-002c3798c6ea	Data Factory	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Databricks Clusters should disable public IP	51c1490f-3319-459c-bbbc-7f391bbed753	Azure Databricks	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Databricks Workspaces should be in a virtual network	9c25c9e4-ee12-4882-afd2-11fb9d87893f	Azure Databricks	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption	2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352	Azure Databricks	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Databricks Workspaces should disable public network access	0e7849de-b939-4c50-ab48-fc6b0f5eeba2	Azure Databricks	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Databricks Workspaces should use private link	258823f2-4595-4b52-b333-cc96192710d8	Azure Databricks	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled	0		GA	true
Azure DDoS Protection should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	3.0.1	2x 3.0.1, 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for App Service should be enabled	2913021d-f2fd-4f3d-b958-22354e2bdbcb	Security Center	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Defender for Azure SQL Database servers should be enabled	7fe3b40f-802b-4cdd-8bd4-fd799c948cc2	Security Center	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for Key Vault should be enabled	0e6763cc-5078-4e64-889d-ff4d9a839047	Security Center	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Defender for open-source relational databases should be enabled	0a9fbe0d-c5c4-4da8-87d8-f4fd77338835	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Defender for Resource Manager should be enabled	c3d20c29-b36d-48fe-808b-99a87530ad99	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for servers should be enabled	4da35fc9-c9e7-4960-aec9-797fe7d9051d	Security Center	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for SQL servers on machines should be enabled	6581d072-105e-4418-827f-bd446d56421b	Security Center	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	2.0.1	1x 2.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers	3bc8a0d5-38e0-4a3d-a657-2cb64468fc34	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers	d38668f5-d155-42c7-ab3d-9b57b50f8fbf	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9	SQL	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Device Update accounts should use customer-managed key to encrypt data at rest	43c323f6-0329-4f7c-a19a-6e5a5690d042	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Device Update for IoT Hub accounts should use private link	27d4c5ec-8820-443f-91fe-1215e96f64b2	Internet of Things	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Edge Hardware Center devices should have double encryption support enabled	08a6b96f-576e-47a2-8511-119a212d344d	Azure Edge Hardware Center	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Event Grid domains should disable public network access	f8f774be-6aee-492a-9e29-486ef81f3a68	Event Grid	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Event Grid domains should use private link	9830b652-8523-49cc-b1b3-e17dce1127ca	Event Grid	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Event Grid namespace MQTT broker should use private link	cd8f7644-6fe8-4516-bded-0e465ead03ac	Event Grid	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Event Grid namespace topic broker should use private link	1301a000-bc6b-4d90-8414-7091e3abdc40	Event Grid	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Event Grid namespaces should disable public network access	67dcad1a-ec60-45df-8fd0-14c9d29eeaa2	Event Grid	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Event Grid topics should disable public network access	1adadefe-5f21-44f7-b931-a59b54ccdb45	Event Grid	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Event Grid topics should use private link	4b90e17e-8448-49db-875e-bd83fb6f804f	Event Grid	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled	0		GA	true
Azure File Sync should use private link	1d320205-c6a1-4ac6-873d-46224024e8e2	Storage	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link	dfc212af-17ea-423a-9dcb-91e2cb2caa6b	CDN	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Front Door should have Resource logs enabled	8a04f872-51e9-4313-97fb-fc1c35430fd8	Monitoring	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Front Door Standard and Premium should be running minimum TLS version of 1.2	679da822-78a7-4eff-8fff-a899454a9970	CDN	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest	64d314f6-6062-4780-a861-c23e8951bee5	HDInsight	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure HDInsight clusters should use encryption at host to encrypt data at rest	1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6	HDInsight	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes	d9da03a1-f3c3-412a-9709-947156872263	HDInsight	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure HDInsight should use private link	c8cc2f85-e019-4065-9fa3-5e6a2b2dde56	HDInsight	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Health Bots should use customer-managed keys to encrypt data at rest	4d080fa5-a6d2-4f98-ba9c-f482d0d335c0	Health Bot	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Health Data Services de-identification service should disable public network access	c5f34731-7ab9-42ff-922d-ef4920068b74	Health Deidentification Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Health Data Services de-identification service should use private link	d9b2d63d-a233-4123-847a-7f7e5f5d7e7a	Health Deidentification Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Health Data Services workspace should use private link	64528841-2f92-43f6-a137-d52e5c3dbeac	Health Data Services workspace	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Key Vault should disable public network access	405c5871-3e91-4644-8a63-58e19d68ff5b	Key Vault	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Key Vault should have firewall enabled or public network access disabled	55615ac9-af46-4a59-874e-391cc3dfb490	Key Vault	3.3.0	2x 3.3.0, 3.2.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Key Vault should use RBAC permission model	12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5	Key Vault	1.0.1	2x 1.0.1, 1.0.0-preview	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Key Vaults should use private link	a6abeaec-4d90-4a02-805f-6b26c4d3fbe9	Key Vault	1.2.1	1x 1.2.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration	450d2877-ebea-41e8-b00c-e286317d21bf	Kubernetes	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Kubernetes Service clusters should have Defender profile enabled	a1840de2-8088-4ea8-b153-b4c723e9cb01	Kubernetes	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Azure load testing resource should use customer-managed keys to encrypt data at rest	65c4f833-1f2e-426c-8780-f6d7593bed7a	Azure Load Testing	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Machine Learning and Ai Studio should use Allow Only Approved Outbound Managed Vnet mode	6ddb1705-c8cf-450e-aa4b-19ad6703c440	Machine Learning	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Machine Learning compute instances should be recreated to get the latest software updates	f110a506-2dcb-422e-bcea-d533fc8c35e2	Machine Learning	1.0.3	1x 1.0.3	Fixed [parameters('effects')]	0		GA	true
Azure Machine Learning Computes should be in a virtual network	7804b5c7-01dc-4723-969b-ae300cc07ff1	Machine Learning	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Machine Learning Computes should have local authentication methods disabled	e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f	Machine Learning	2.1.0	2x 2.1.0, 2.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Machine Learning workspaces should be encrypted with a customer-managed key	ba769a63-b8cc-4b2d-abf6-ac33c7204be8	Machine Learning	1.1.0	2x 1.1.0, 1.0.3	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Machine Learning workspaces should be encrypted with the use of a customer-managed key	7f40cee6-e933-4d0f-a782-b96615e0f4a6	Machine Learning	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure Machine Learning Workspaces should disable public network access	438c38d2-3772-465a-a9cc-7a6666a275ce	Machine Learning	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Machine Learning workspaces should use private link	45e05259-1eb5-4f70-9574-baf73e9d219b	Machine Learning	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Machine Learning workspaces should use user-assigned managed identity	5f0c7d88-c7de-45b8-ac49-db49e72eaa78	Machine Learning	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Managed Grafana workspaces should disable public network access	e8775d5a-73b7-4977-a39b-833ef0114628	Managed Grafana	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Managed Grafana workspaces should use private link	3a97e513-f75e-4230-8137-1efad4eadbbc	Managed Grafana	1.0.1	2x 1.0.1, 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)	ea0dfaed-95fb-448c-934e-d6e713ce393d	Monitoring	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Azure Monitor Logs clusters should be encrypted with customer-managed key	1f68a601-6e6d-4e42-babf-3f643a047ea2	Monitoring	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Azure Monitor Private Link Scope should block access to non private link resources	a499fed8-bcc8-4195-b154-641f14743757	Monitoring	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Monitor Private Link Scope should use private link	0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6	Monitoring	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled	40e85574-ef33-47e8-a854-7a65c7500560	SQL	1.0.1	2x 1.0.1, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Azure NetApp Files SMB Volumes should use SMB3 encryption	ddcf4b94-9dfa-4a80-aca6-22bb654fde72	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption	7c6c7139-7d8e-45d0-9d94-72386a61308b	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters	0a15ec92-a229-4763-bb14-0ea34a568f8d	Kubernetes	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Purview accounts should use private link	9259053b-ddb8-40ab-842a-0aef19d0ade4	Azure Purview	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)	090c7b07-b4ed-4561-ad20-e9075f3ccaff	Security Center	1.0.1	2x 1.0.1, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)	17f4b1cc-c55c-4d94-b1f9-2978f6ac2957	Security Center	1.0.1	2x 1.0.1, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure Service Bus namespaces should use private link	1c06e275-d63d-4540-b761-71f364c2111d	Service Bus	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Azure SignalR Service should disable public network access	21a9766a-82a5-4747-abb5-650b6dbba6d0	SignalR	1.2.0	2x 1.2.0, 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure SignalR Service should use a Private Link enabled SKU	464a1620-21b5-448d-8ce6-d4ac6d1bc49a	SignalR	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure SignalR Service should use private link	2393d2cf-a342-44cd-a2e2-fe0188fd1234	SignalR	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Spring Cloud should use network injection	af35e2a4-ef96-44e7-a9ae-853dd97032c4	App Platform	1.2.0	1x 1.2.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
Azure SQL Database should be running TLS version 1.2 or newer	32e6bbec-16b6-44c2-be37-c5b672d103cf	SQL	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
Azure SQL Database should have Microsoft Entra-only authentication enabled	b3a22bc9-66de-45fb-98fa-00f5df42f41a	SQL	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation	abda6d70-9778-44e7-84a8-06713e6db027	SQL	1.2.0	2x 1.2.0, 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled	0c28c3fb-c244-42d5-a9bf-f35f2999577b	SQL	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure SQL Managed Instances should disable public network access	9dfea752-dd46-4766-aed1-c355fa93fb91	SQL	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation	78215662-041e-49ed-a9dd-5385911b3a1f	SQL	1.2.0	2x 1.2.0, 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Stack Edge devices should use double-encryption	b4ac1030-89c5-4697-8e00-28b5ba6a8811	Azure Stack Edge	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Azure Stream Analytics jobs should use customer-managed keys to encrypt data	87ba29ef-1ab3-4d82-b763-87fcd4f531f7	Stream Analytics	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Azure Synapse workspaces should disable public network access	38d8df46-cf4e-4073-8e03-48c24b29de0d	Synapse	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest	f7d52b2d-e161-4dfa-a82b-55e564167385	Synapse	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Synapse workspaces should use private link	72d11df1-dd8a-41f7-8925-b05b960ebafc	Synapse	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Azure Virtual Desktop hostpools should disable public network access	c25dcf31-878f-4eba-98eb-0818fdc6a334	Desktop Virtualization	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Virtual Desktop hostpools should disable public network access only on session hosts	a22065a3-3b04-46ff-b84c-2d30e5c300d0	Desktop Virtualization	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Virtual Desktop service should use private link	ca950cd7-02f7-422e-8c23-91ff40f169c1	Desktop Virtualization	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Azure Virtual Desktop workspaces should disable public network access	87ac3038-c07a-4b92-860d-29e270a4f3cd	Desktop Virtualization	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Web Application Firewall should be enabled for Azure Front Door entry-points	055aa869-bc98-4af8-bafc-23f1ab6ffe2c	Network	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Azure Web PubSub Service should disable public network access	bf45113f-264e-4a87-88f9-29ac8a0aca6a	Web PubSub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Web PubSub Service should use a SKU that supports private link	82909236-25f3-46a6-841c-fe1020f95ae1	Web PubSub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Azure Web PubSub Service should use private link	eb907f70-7514-460d-92b3-a5ae93b4f917	Web PubSub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Blocked accounts with owner permissions on Azure resources should be removed	0cfea604-3201-4e14-88fc-fae4c427a6c5	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Blocked accounts with read and write permissions on Azure resources should be removed	8d7e1fde-fe26-4b5f-8108-f8e432cbc2be	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Bot Service endpoint should be a valid HTTPS URI	6164527b-e1ee-4882-8673-572f425f5e0a	Bot Service	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Bot Service should be encrypted with a customer-managed key	51522a96-0869-4791-82f3-981000c2c67f	Bot Service	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Bot Service should have public network access disabled	5e8168db-69e3-4beb-9822-57cb59202a9d	Bot Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys	7d7be79c-23ba-4033-84dd-45e2a5ccdd67	Kubernetes	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
BotService resources should use private link	ad5621d6-a877-4407-aa93-a950b428315e	Bot Service	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Certificates should have the specified maximum validity period	0a075868-4c26-42ef-914c-5bc007359560	Key Vault	2.2.1	2x 2.2.1, 2.2.0-preview	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Certificates should not expire within the specified number of days	f772fb64-8e40-40ad-87bc-7706e1949427	Key Vault	2.1.1	2x 2.1.1, 2.1.0-preview	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Cognitive Services accounts should use a managed identity	fe3fd216-4f83-4fc1-8984-2bbec80a3418	Cognitive Services	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Communication service resource should use a managed identity	bcff6755-335b-484d-b435-d1161db39cdc	Communication	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Configure Azure AI Services resources to disable local key access (disable local authentication)	55eff01b-f2bd-4c32-9203-db285f709d30	Azure Ai Services	1.0.0	1x 1.0.0	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	2	Cognitive Services Contributor, Cognitive Services OpenAI Contributor	GA	unknown
Container Apps environment should disable public network access	d074ddf8-01a5-4b5e-a2b8-964aed452c0a	Container Apps	1.1.0	2x 1.1.0, 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Container registries should be encrypted with a customer-managed key	5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580	Container Registry	1.1.2	1x 1.1.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Container registries should have local admin account disabled.	dc921057-6b28-4fbe-9b83-f7bec05db6c2	Container Registry	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Container registries should have SKUs that support Private Links	bd560fc0-3c69-498a-ae9f-aa8eb7de0e13	Container Registry	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Container registries should not allow unrestricted network access	d0793b48-0edc-4296-a390-4c75d1bdfd71	Container Registry	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Container registries should use private link	e8eef0a8-67cf-4eb4-9386-14b0e78733d4	Container Registry	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Cosmos DB database accounts should have local authentication methods disabled	5450f5bd-9c72-4390-a9c4-a7aba4edfdd2	Cosmos DB	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
CosmosDB accounts should use private link	58440f8a-10c5-4151-bdce-dfbaad4a20b7	Cosmos DB	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances.	413923f0-ff16-41ae-8583-90c5c5d9fa8f	SQL Managed Instance	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Diagnostic logs in Azure AI services resources should be enabled	1b4d1c4e-934c-4703-944c-27c82c06bebb	Azure Ai Services	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
DICOM Service should use a customer-managed key to encrypt data at rest	14961b63-a1eb-4378-8725-7e84ca8db0e6	Healthcare APIs	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Disk access resources should use private link	f39f5f49-4abf-44de-8c70-0756997bfb51	Compute	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Disk encryption should be enabled on Azure Data Explorer	f4b53539-8df9-40e4-86c6-6b607703bd4e	Azure Data Explorer	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Double encryption should be enabled on Azure Data Explorer	ec068d99-e9c7-401f-8cef-5bdde4e6ccf1	Azure Data Explorer	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
ElasticSan should disable public network access	6a92fe1f-0b86-44ae-843d-2db3d2b571ae	ElasticSan	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
ElasticSan Volume Group should use customer-managed keys to encrypt data at rest	7698f4ed-80ce-4e13-b408-ee135fa400a5	ElasticSan	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Email notification for high severity alerts should be enabled	6e2593d9-add6-4083-9c9b-4b7d2188c899	Security Center	1.2.0	3x 1.2.0, 1.1.0, 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Email notification to subscription owner for high severity alerts should be enabled	0b15565f-aa9e-48ba-8619-45960f2c314d	Security Center	2.1.0	2x 2.1.0, 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Enforce SSL connection should be enabled for MySQL database servers	e802a67a-daf5-4436-9ea6-f6d821dd0c5d	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Enforce SSL connection should be enabled for PostgreSQL database servers	d158790f-bfb0-486c-8631-2dc6b4e8e6af	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Event Hub Namespaces should disable public network access	0602787f-9896-402a-a6e1-39ee63ee435e	Event Hub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Event Hub namespaces should have double encryption enabled	836cd60e-87f3-4e6a-a27c-29d687f01a4c	Event Hub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Event Hub namespaces should use a customer-managed key for encryption	a1ad735a-e96f-45d2-a7b2-9a4932cab7ec	Event Hub	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Event Hub namespaces should use private link	b8564268-eb4a-4337-89be-a19db070c59d	Event Hub	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
FHIR Service should use a customer-managed key to encrypt data at rest	c42dee8c-0202-4a12-bd8e-3e171cbf64dd	Healthcare APIs	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Flow logs should be configured for every network security group	c251913d-7d24-4958-af87-478ed3b9ba41	Network	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Disabled	0		GA	true
Fluid Relay should use customer-managed keys to encrypt data at rest	46388f67-373c-4018-98d3-2b83172dd13a	Fluid Relay	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Function app slots should disable public network access	11c82d0c-db9f-4d7b-97c5-f3f9aa957da2	App Service	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
Function app slots should enable end to end encryption	cbe0e5eb-fea9-491d-ab20-a62cf049c5ae	App Service	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Function app slots should use the latest TLS version	deb528de-8f89-4101-881c-595899253102	App Service	1.3.0	4x 1.3.0, 1.2.0, 1.1.0, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Function apps should disable public network access	969ac98b-88a8-449f-883c-2e9adb123127	App Service	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
Function apps should enable end to end encryption	387140f1-6da9-4741-bcee-3b5edcdfd9ec	App Service	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Function apps should have Client Certificates (Incoming client certificates) enabled	ab6a902f-9493-453b-928d-62c30b11b5a6	App Service	1.1.0	2x 1.1.0, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	2.1.0	2x 2.1.0, 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Function apps should not have CORS configured to allow every resource to access your apps	0820b7b9-23aa-4725-a1ce-ae4558f718e5	App Service	2.1.0	2x 2.1.0, 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	5.1.0	2x 5.1.0, 5.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	true
Function apps should require FTPS only	399b2637-a50f-4f95-96f8-3a145476eb15	App Service	3.1.0	2x 3.1.0, 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Function apps should use managed identity	0da106f2-4ca3-48e8-bc85-c638fe6aea8f	App Service	3.1.0	2x 3.1.0, 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Function apps should use the latest TLS version	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	2.3.0	4x 2.3.0, 2.2.0, 2.1.0, 2.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Geo-redundant backup should be enabled for Azure Database for MariaDB	0ec47710-77ff-4a3d-9181-6aa50af424d0	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Geo-redundant backup should be enabled for Azure Database for MySQL	82339799-d096-41ae-8538-b108becf0970	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	48af4db5-9b8b-401c-8e74-076be876a430	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
Guest accounts with owner permissions on Azure resources should be removed	339353f6-2387-4a45-abe4-7f529d121046	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Guest accounts with read permissions on Azure resources should be removed	e9ac8f8e-ce22-4355-8f04-99b911d6be52	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Guest accounts with write permissions on Azure resources should be removed	94e1c2ac-cbbe-4cac-a2b5-389c812dee87	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Guest Configuration extension should be installed on your machines	ae89ebca-1c92-4898-ac2c-9f63decb045c	Security Center	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
HPC Cache accounts should use customer-managed key for encryption	970f84d8-71b6-4091-9979-ace7e3fb6dbb	Storage	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
Infrastructure encryption should be enabled for Azure Database for MySQL servers	3a58212a-c829-4f13-9872-6371df2fd0b4	SQL	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers	24fba194-95d6-48c0-aea7-f65bf859c598	SQL	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
IoT Central should use private link	9ace2dbc-4b71-48b6-b2a7-428b0b2e3944	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
IoT Hub device provisioning service instances should disable public network access	d82101f3-f3ce-4fc5-8708-4c09f4009546	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
IoT Hub device provisioning service instances should use private link	df39c015-56a4-45de-b4a3-efe77bed320d	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
IP Forwarding on your virtual machine should be disabled	bd352bd5-2853-4985-bf0d-73806b4a5744	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Key Vault keys should have an expiration date	152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0	Key Vault	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Key Vault secrets should have an expiration date	98728c90-32c7-4049-8429-847dc0f4fe37	Key Vault	1.0.2	1x 1.0.2	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Key vaults should have deletion protection enabled	0b60c0b2-2dc2-4e1c-b5c9-abbed971de53	Key Vault	2.1.0	1x 2.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Key vaults should have soft delete enabled	1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d	Key Vault	3.1.0	2x 3.1.0, 3.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.	d8cf8476-a2ec-4916-896e-992351803c44	Key Vault	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Keys should have the specified maximum validity period	49a22571-d204-4c91-a7b6-09b1a586fbc9	Key Vault	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Keys should not be active for longer than the specified number of days	c26e4b24-cf98-4c67-b48b-5a25c4c69eb9	Key Vault	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits	e345eecc-fa47-480f-9e88-67dcc122b164	Kubernetes	9.3.0	3x 9.3.0, 9.2.0, 9.1.0	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster containers should not share host namespaces	47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8	Kubernetes	6.0.0	3x 6.0.0, 5.2.0, 5.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Kubernetes cluster containers should only use allowed AppArmor profiles	511f5417-5d12-434d-ab2e-816901e72a5e	Kubernetes	6.2.1	3x 6.2.1, 6.2.0, 6.1.1	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster containers should only use allowed capabilities	c26596ff-4d70-4e6a-9a30-c2506bd2f80c	Kubernetes	6.2.0	2x 6.2.0, 6.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster containers should only use allowed images	febd0533-8e55-448f-b837-bd0e06f16469	Kubernetes	9.3.0	4x 9.3.0, 9.2.0, 9.1.1, 9.1.0	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster containers should run with a read only root file system	df49d893-a74c-421d-bc95-c663042e5b80	Kubernetes	6.3.0	3x 6.3.0, 6.2.0, 6.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster pod hostPath volumes should only use allowed host paths	098fc59e-46c7-4d99-9b16-64990e543d75	Kubernetes	6.3.0	3x 6.3.0, 6.2.0, 6.1.1	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster pods and containers should only run with approved user and group IDs	f06ddb64-5fa3-4b77-b166-acb36f7f6042	Kubernetes	6.2.0	2x 6.2.0, 6.1.1	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster pods should only use approved host network and port list	82985f06-dc18-4a48-bc1c-b9f4f0098cfe	Kubernetes	7.0.0	3x 7.0.0, 6.2.0, 6.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Kubernetes cluster services should listen only on allowed ports	233a2a17-77ca-4fb1-9b6b-69223d272a44	Kubernetes	8.2.0	2x 8.2.0, 8.1.0	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes cluster should not allow privileged containers	95edb821-ddaf-4404-9732-666045e056b4	Kubernetes	9.2.0	2x 9.2.0, 9.1.0	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes clusters should be accessible only over HTTPS	1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d	Kubernetes	8.2.0	2x 8.2.0, 8.1.0	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes clusters should disable automounting API credentials	423dd1ba-798e-40e4-9c4d-b6902674b423	Kubernetes	4.2.0	2x 4.2.0, 4.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes clusters should not allow container privilege escalation	1c6e92c9-99f0-4e55-9cf2-0c234dc48f99	Kubernetes	8.0.0	3x 8.0.0, 7.2.0, 7.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities	d2e7ea85-6b44-4317-a0be-1b951587f626	Kubernetes	5.1.0	1x 5.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Kubernetes clusters should not use the default namespace	9f061a12-e40d-4183-a00e-171812443373	Kubernetes	4.2.0	2x 4.2.0, 4.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Linux machines should meet requirements for the Azure compute security baseline	fc9b3da7-8347-4380-8e70-0a0361d8dedd	Guest Configuration	2.2.0	2x 2.2.0, 2.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.	ca88aadc-6e2b-416c-9de2-5a0f01d1693f	Guest Configuration	1.2.1	3x 1.2.1, 1.2.0-preview, 1.1.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Log Analytics workspaces should block log ingestion and querying from public networks	6c53d030-cc64-46f0-906d-2bc061cd1334	Monitoring	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	unknown
Logic Apps Integration Service Environment should be encrypted with customer-managed keys	1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5	Logic Apps	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Machines should be configured to periodically check for missing system updates	bd876905-5b84-4f73-ab2d-2e7a7c4568d9	Azure Update Manager	3.9.0	6x 3.9.0, 3.8.0, 3.7.0, 3.6.0, 3.5.0, 3.4.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Machines should have secret findings resolved	3ac7c827-eea2-4bde-acc7-9568cd320efa	Security Center	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Managed disks should be double encrypted with both platform-managed and customer-managed keys	ca91455f-eace-4f96-be59-e6e2c35b4816	Compute	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Managed disks should disable public network access	8405fdab-1faf-48aa-b702-999c9c172094	Compute	2.1.0	2x 2.1.0, 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption	d461a302-a187-421a-89ac-84acdb4edc04	Compute	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Managed Identity should be enabled for Container Apps	b874ab2d-72dd-47f1-8cb5-4a306478a4e7	Container Apps	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Management ports should be closed on your virtual machines	22730e10-96f6-4aac-ad84-9383d35b5917	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Microsoft Defender CSPM should be enabled	1f90fc71-a595-4066-8974-d4d0802e8ef0	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Microsoft Defender for APIs should be enabled	7926a6d1-b268-4586-8197-e8ae90c877d7	Security Center	1.0.3	1x 1.0.3	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Microsoft Defender for Containers should be enabled	1c988dd6-ade4-430f-a608-2a3e5b0a6d38	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces	d31e5c31-63b2-4f12-887b-e49456834fa1	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers	938c4981-c2c9-4168-9cd6-972b8675f906	Security Center	1.1.0	2x 1.1.0, 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	unknown
Microsoft Defender for Storage should be enabled	640d2586-54d2-465f-877f-9ffc1d2109f4	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
MySQL servers should use customer-managed keys to encrypt data at rest	83cef61d-dbd1-4b20-a4fc-5fbc7da10833	SQL	1.0.4	1x 1.0.4	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Network Watcher should be enabled	b6e2945c-0b7b-40f5-9233-7a5323b5cdc6	Network	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Non-internet-facing virtual machines should be protected with network security groups	bb91dfba-c30d-4263-9add-9c2384e659a6	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
OS and data disks should be encrypted with a customer-managed key	702dd420-7fcc-42c5-afe8-4026edd20fe0	Compute	3.0.0	1x 3.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
PostgreSQL flexible servers should be running TLS version 1.2 or newer	a43d5475-c569-45ce-a268-28fa79f4e87a	PostgreSQL	1.1.0	2x 1.1.0, 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest	12c74c95-0efd-48da-b8d9-2a7d68470c92	PostgreSQL	1.1.0	2x 1.1.0, 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
PostgreSQL servers should use customer-managed keys to encrypt data at rest	18adea5e-f416-4d0f-8aa8-d24321e3e274	SQL	1.0.4	1x 1.0.4	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Private endpoint connections on Azure SQL Database should be enabled	7698e800-9299-47a6-b3b6-5a0fee576eed	SQL	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Disabled	0		GA	true
Private endpoint should be enabled for MariaDB servers	0a1302fb-a631-4106-9753-f3d494733990	SQL	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Private endpoint should be enabled for MySQL servers	7595c971-233d-4bcf-bd18-596129188c49	SQL	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Private endpoint should be enabled for PostgreSQL servers	0564d078-92f5-4f97-8398-b9f58a51f70b	SQL	1.0.2	1x 1.0.2	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Public network access for Azure Device Update for IoT Hub accounts should be disabled	510ec8b2-cb9e-461d-b7f3-6b8678c31182	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access on Azure Data Explorer should be disabled	43bc7be6-5e69-4b0d-a2bb-e815557ca673	Azure Data Explorer	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access on Azure Data Factory should be disabled	1cf164be-6819-4a50-b8fa-4bcaa4f98fb6	Data Factory	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access on Azure IoT Hub should be disabled	2d6830fb-07eb-48e7-8c4d-2a442b35f0fb	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access on Azure SQL Database should be disabled	1b8ca024-1d5c-4dec-8995-b1a932b41780	SQL	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Public network access should be disabled for Azure File Sync	21a8cd35-125e-4d13-b82d-2e19b7208bb7	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Public network access should be disabled for Batch accounts	74c5a0ae-5e48-4738-b093-65e23a060488	Batch	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for Container registries	0fdf0491-d080-4575-b627-ad0e843cba0f	Container Registry	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Public network access should be disabled for IoT Central	cd870362-211d-4cad-9ad9-11e5ea4ebbc1	Internet of Things	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for MariaDB servers	fdccbe47-f3e3-4213-ad5d-ea459b2fa077	SQL	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for MySQL flexible servers	c9299215-ae47-4f50-9c54-8a392f68a052	SQL	2.3.0	3x 2.3.0, 2.2.0, 2.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for MySQL servers	d9844e8a-1437-4aeb-a32c-0c992f056095	SQL	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for PostgreSQL flexible servers	5e1de0e3-42cb-4ebc-a86d-61d0c619ca48	SQL	3.1.0	2x 3.1.0, 3.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Public network access should be disabled for PostgreSQL servers	b52376f7-9612-48a1-81cd-1ffe4b61032c	SQL	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Queue Storage should use customer-managed key for encryption	f0e5abd0-2554-4736-b7c0-4ffef23475ef	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Resource logs in Azure Data Lake Store should be enabled	057ef27e-665e-4328-8ea3-04b3122bd9fb	Data Lake	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Azure Databricks Workspaces should be enabled	138ff14d-b687-4faa-a81c-898c91a87fa2	Azure Databricks	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Azure Kubernetes Service should be enabled	245fc9df-fa96-4414-9a0b-3738c2f7341c	Kubernetes	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Azure Machine Learning Workspaces should be enabled	afe0c3be-ba3b-4544-ba52-0c99672a8ad6	Machine Learning	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Batch accounts should be enabled	428256e6-1fac-4f48-a757-df34c2b3336d	Batch	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Data Lake Analytics should be enabled	c95c74d9-38fe-4f0d-af86-0c7d626a315c	Data Lake	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Event Hub should be enabled	83a214f7-d01a-484b-91a9-ed54470c9a6a	Event Hub	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in IoT Hub should be enabled	383856f8-de7f-44a2-81fc-e5135b5c2aa4	Internet of Things	3.1.0	1x 3.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Resource logs in Key Vault should be enabled	cf820ca0-f99e-4f3e-84fb-66e913812d21	Key Vault	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Logic Apps should be enabled	34f95f76-5386-4de7-b824-0d8478470c9d	Logic Apps	5.1.0	1x 5.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Search services should be enabled	b4330a05-a843-4bc8-bf9a-cacce50c67f4	Search	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Resource logs in Service Bus should be enabled	f8d36e2f-389b-4ee4-898d-21aeb69a0f45	Service Bus	5.0.0	1x 5.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Role-Based Access Control (RBAC) should be used on Kubernetes Services	ac4a19c2-fa67-49b4-8ae5-0b2e78c49457	Security Center	1.1.0	3x 1.1.0, 1.0.4, 1.0.3	Default Audit Allowed Audit, Disabled	0		GA	true
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption	fa298e57-9444-42ba-bf04-86e8470e32c7	Monitoring	1.1.0	1x 1.1.0	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	true
Secrets should have more than the specified number of days before expiration	b0eb591a-5e70-4534-a8bf-04b9c489584a	Key Vault	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Secrets should have the specified maximum validity period	342e8053-e12e-4c44-be01-c3c2f318400f	Key Vault	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Secrets should not be active for longer than the specified number of days	e8d99835-8a06-45ae-a8e0-87a91941ccfe	Key Vault	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Service Bus Namespaces should disable public network access	cbd11fd3-3002-4907-b6c8-579f0e700e13	Service Bus	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Service Bus namespaces should have double encryption enabled	ebaf4f25-a4e8-415f-86a8-42d9155bef0b	Service Bus	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Service Bus Premium namespaces should use a customer-managed key for encryption	295fc8b1-dc9f-4f53-9c61-3f313ceab40a	Service Bus	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	true
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
SIM Group should use customer-managed keys to encrypt data at rest	45c4e9bd-ad6b-4634-9566-c2dad2f03cbf	Mobile Network	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	4.1.0	1x 4.1.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
SQL Managed Instance should have the minimal TLS version of 1.2	a8793640-60f7-487c-b5c3-1d37215905c4	SQL	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Disabled	0		GA	true
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
SQL servers on machines should have vulnerability findings resolved	6ba6d016-e7c3-4842-b8f2-4992ebc0d72d	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	2.0.1	1x 2.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher	89099bee-89e0-4b26-a5f4-165451757743	SQL	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan	c6283572-73bb-4deb-bf2c-7a2b8f7462cb	Security Center	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown
Storage account encryption scopes should use customer-managed keys to encrypt data at rest	b5ec538c-daa0-4006-8596-35468b9148e8	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage account encryption scopes should use double encryption for data at rest	bfecdea6-31c4-4045-ad42-71b9dc87247d	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Storage account keys should not be expired	044985bb-afe1-42cd-8a36-9d5d42424537	Storage	3.0.0	1x 3.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Storage account public access should be disallowed	4fa4b6c0-31ca-4c0d-b10d-24b96f62a751	Storage	3.1.1	2x 3.1.1, 3.1.0-preview	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	unknown
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should disable public network access	b2982f36-99f2-4db5-8eff-283140c09693	Storage	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Storage accounts should have infrastructure encryption	4733ea7b-a883-42fe-8cac-97454c2a9e4a	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should have the specified minimum TLS version	fe83a0eb-a853-422d-aac2-1bffd182c5d0	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should prevent shared key access	8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54	Storage	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should prevent shared key access (excluding storage accounts created by Databricks)	fd9903f1-38c2-4d36-8e44-5c1c20c561e8	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	1.1.1	1x 1.1.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should restrict network access using virtual network rules	2a1a9cdf-e04d-429a-8416-3bfb72a1b26f	Storage	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should restrict network access using virtual network rules (excluding storage accounts created by Databricks)	db4f9b05-5ffd-4b34-b714-3c710dbb3fd6	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Storage accounts should use customer-managed key for encryption	6fac406b-40ca-413b-bf8e-0bf964659c25	Storage	1.0.3	1x 1.0.3	Default Audit Allowed Audit, Disabled	0		GA	true
Storage accounts should use private link	6edd7eda-6dd8-40f7-810d-67160c639cd9	Storage	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Storage accounts should use private link (excluding storage accounts created by Databricks)	1604f626-4d8d-4124-8bb8-b1e5f95562de	Storage	1.0.0	1x 1.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Stream Analytics job should use managed identity to authenticate endpoints	ea6c4923-510a-4346-be26-1894919a5b97	Stream Analytics	1.0.0	1x 1.0.0	Default Audit Allowed Deny, Disabled, Audit	0		GA	unknown
Subnets should be associated with a Network Security Group	e71308d3-144b-4262-b144-efdc3cc90517	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Subscriptions should have a contact email address for security issues	4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7	Security Center	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Synapse Workspaces should have Microsoft Entra-only authentication enabled	6ea81a52-5ca7-4575-9669-eaa910b7edf8	Synapse	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation	2158ddbe-fefa-408e-b43f-d4faef8ff3b8	Synapse	1.2.0	2x 1.2.0, 1.1.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
System updates should be installed on your machines (powered by Update Center)	f85bf3e0-d513-442e-89c3-1784ad63382b	Security Center	1.0.1	2x 1.0.1, 1.0.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Table Storage should use customer-managed key for encryption	7c322315-e26d-4174-a99e-f49d351b4688	Storage	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host	41425d9f-d1a5-499a-9932-f8ed8453932c	Kubernetes	1.0.1	1x 1.0.1	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Transparent Data Encryption must be enabled for Arc SQL managed instances.	6599ab01-29bc-4852-a6f5-de9e2151714a	SQL Managed Instance	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Disabled	0		GA	unknown
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Users must authenticate with multi-factor authentication to create or update resources	4e6c27d5-a6ee-49cf-b2b4-d8fe90fa2b8b	General	1.0.1	2x 1.0.1, 1.0.0-preview	Default Audit Allowed Audit, Deny, Disabled	0		GA	unknown
Virtual machines and virtual machine scale sets should have encryption at host enabled	fc4d8e41-e223-45ea-9bf5-eada37891d87	Compute	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity	d26f7642-7545-4e18-9b75-8c9bbdee3a9a	Security Center	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Virtual networks should be protected by Azure DDoS Protection	94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d	Network	1.0.1	2x 1.0.1, 1.0.0	Default Modify Allowed Modify, Audit, Disabled	1	Network Contributor	GA	unknown
VM Image Builder templates should use private link	2154edb9-244f-4741-9970-660785bccdaa	VM Image Builder	1.1.0	1x 1.1.0	Default Audit Allowed Audit, Disabled, Deny	0		GA	unknown
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users	21a6bc25-125e-4d13-b82d-2e19b7208ab7	Network	1.0.0	1x 1.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	1.0.1	1x 1.0.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	3.0.0	1x 3.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Web Application Firewall (WAF) should be enabled for Application Gateway	564feb30-bf6a-4854-b4bb-0d2d2d1e6c66	Network	2.0.0	1x 2.0.0	Default Audit Allowed Audit, Deny, Disabled	0		GA	true
Windows Defender Exploit Guard should be enabled on your machines	bed48b13-6647-468e-aa2f-1af1d3f4dd40	Guest Configuration	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Windows machines should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	4.1.1	1x 4.1.1	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Windows machines should meet requirements of the Azure compute security baseline	72650e9f-97bc-4b2a-ab5f-9781a9fcecbc	Guest Configuration	2.0.0	1x 2.0.0	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	true
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.	3dc5edcd-002d-444c-b216-e123bbfa37c0	Guest Configuration	1.1.1	2x 1.1.1, 1.1.0-preview	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	unknown

Roles used

Total Roles usage: 3
Total Roles unique usage: 3

Role	Role Id	#Policies	Policies
Network Contributor	4d97b98b-1d4f-4787-a291-c67834d212e7	1	Virtual networks should be protected by Azure DDoS Protection
Cognitive Services Contributor	25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68	1	Configure Azure AI Services resources to disable local key access (disable local authentication)
Cognitive Services OpenAI Contributor	a001fd3d-188f-4b5d-821b-7da978bf7442	1	Configure Azure AI Services resources to disable local key access (disable local authentication)

History

Date/Time (UTC ymd) (i)	Changes
2025-10-23 17:22:49	add Initiative e3ec7e09-768c-4b64-882c-fcada3772047

JSON compare

n/a

JSON

api-version=2023-04-01
EPAC