BuiltIn
13 categories
13 categories
Azure Landing Zones (ALZ)
10 categories
10 categories
| Category | Id | DisplayName | Description | Policies | State | Type |
|---|---|---|---|---|---|---|
| Automanage | c138fd1a-e08f-4318-9490-d11ef2c2f9c1 | [Preview]: Audit configuration against Automanage Best Practices | Automanage Machine Best Practices ensures that managed resources are setup in accordance with the desired state as defined in the assigned Configuration Profile. | Builtin Policies 6/6 Static Policies 0/6 |
Preview | BuiltIn |
| ChangeTrackingAndInventory | 53448c70-089b-4f52-8f38-89196d7f2de1 | [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines | Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations. | Builtin Policies 6/6 Static Policies 0/6 |
Preview | BuiltIn |
| ChangeTrackingAndInventory | c4a70814-96be-461c-889f-2b27429120dc | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets | Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. | Builtin Policies 7/7 Static Policies 0/7 |
Preview | BuiltIn |
| ChangeTrackingAndInventory | 92a36f05-ebc9-4bba-9128-b47ad2ea3354 | [Preview]: Enable ChangeTracking and Inventory for virtual machines | Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. | Builtin Policies 7/7 Static Policies 0/7 |
Preview | BuiltIn |
| Cosmos DB | cb5e1e90-7c33-491c-a15b-24885c915752 | Enable Azure Cosmos DB throughput policy | Enable throughput control for Azure Cosmos DB resources in the specified scope (Management group, Subscription or resource group). Takes max throughput as parameter. Use this policy to help enforce throughput control via the resource provider. | Builtin Policies 2/2 Static Policies 0/2 |
GA | BuiltIn |
| Cost Optimization | Audit-UnusedResourcesCostOptimization | Unused resources driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. | Builtin Policies 0/3 Static Policies 0/3 ALZ Policies 3/3 |
GA | ALZ |
| Decommissioned | Enforce-ALZ-Decomm | Enforce policies in the Decommissioned Landing Zone | Enforce policies in the Decommissioned Landing Zone. | Builtin Policies 1/2 Static Policies 0/2 ALZ Policies 1/2 |
GA | ALZ |
| Encryption | Enforce-Encryption-CMK | Deny or Audit resources without Encryption with a customer-managed key (CMK) | Deny or Audit resources without Encryption with a customer-managed key (CMK) | Builtin Policies 15/15 Static Policies 0/15 ALZ Policies 0/15 |
GA | ALZ |
| Encryption | Enforce-EncryptTransit | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. | Builtin Policies 3/21 Static Policies 0/21 ALZ Policies 18/21 |
GA | ALZ |
| Guest Configuration | c937dcb4-4398-4b39-8d63-4a6be432252e | [Deprecated]: Audit Linux VMs that do not have the specified applications installed | This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | f48bcc78-5400-4fb0-b913-5140a2e5fa20 | [Deprecated]: Audit Linux VMs that have the specified applications installed | This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6 | [Deprecated]: Audit VMs with insecure password security settings | This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 18/18 Static Policies 0/18 |
Deprecated | BuiltIn |
| Guest Configuration | acb6cd8e-45f5-466f-b3cb-ff6fce525f71 | [Deprecated]: Audit Windows Server VMs on which Windows Serial Console is not enabled | This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | add1999e-a61c-46d3-b8c3-f35fb8398175 | [Deprecated]: Audit Windows VMs in which the Administrators group contains any of the specified members | This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 133046de-0bd7-4546-93f4-f452e9e258b7 | [Deprecated]: Audit Windows VMs in which the Administrators group does not contain all of the specified members | This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 06122b01-688c-42a8-af2e-fa97dd39aa3b | [Deprecated]: Audit Windows VMs in which the Administrators group does not contain only the specified members | This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | c58599d5-0d51-454f-aaf1-da18a5e76edd | [Deprecated]: Audit Windows VMs on which the DSC configuration is not compliant | This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 06c5e415-a662-463a-bb85-ede14286b979 | [Deprecated]: Audit Windows VMs on which the Log Analytics agent is not connected as expected | This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 4ddaefff-7c78-4824-9b27-5c344f3cdf90 | [Deprecated]: Audit Windows VMs on which the remote host connection status does not match the specified one | This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 8eeec860-e2fa-4f89-a669-84942c57225f | [Deprecated]: Audit Windows VMs on which the specified services are not installed and 'Running' | This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 9d2fd8e6-95c8-410d-add0-43ada4241574 | [Deprecated]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 6b3c1e80-8ae5-405b-b021-c23d13b3959f | [Deprecated]: Audit Windows VMs that are not joined to the specified domain | This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 538942d3-3fae-4fb6-9d94-744f9a51e7da | [Deprecated]: Audit Windows VMs that are not set to the specified time zone | This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | b6f5e05c-0aaa-4337-8dd4-357c399d12ae | [Deprecated]: Audit Windows VMs that contain certificates expiring within the specified number of days | This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | cdfcc6ff-945e-4bc6-857e-056cbc511e0c | [Deprecated]: Audit Windows VMs that do not contain the specified certificates in Trusted Root | This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 25ef9b72-4af2-4501-acd1-fc814e73dde1 | [Deprecated]: Audit Windows VMs that do not have the specified applications installed | This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | f000289c-47af-4043-87da-91ba9e1a2720 | [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell execution policy | This initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | c980fd64-c67f-49a6-a8a8-e57661150802 | [Deprecated]: Audit Windows VMs that do not have the specified Windows PowerShell modules installed | This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | d618d658-b2d0-410e-9e2e-bfbfd04d09fa | [Deprecated]: Audit Windows VMs that do not match Azure compute security baseline settings | This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure compute security baseline configurations. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 58/58 Static Policies 0/58 |
Deprecated | BuiltIn |
| Guest Configuration | b8b5b0a8-b809-4e5d-8082-382c686e35b7 | [Deprecated]: Audit Windows VMs that have not restarted within the specified number of days | This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | d7fff7ea-9d47-4952-b854-b7da261e48f2 | [Deprecated]: Audit Windows VMs that have the specified applications installed | This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | c96b2a9c-6fab-4ac2-ae21-502143491cd4 | [Deprecated]: Audit Windows VMs with a pending reboot | This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 8bc55e6b-e9d5-4266-8dac-f688d151ec9c | [Deprecated]: Audit Windows web servers that are not using secure communication protocols | This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 2/2 Static Policies 0/2 |
Deprecated | BuiltIn |
| Guest Configuration | 2b0ce52e-301c-4221-ab38-1601e2b4cee3 | [Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual machines using user-assigned managed identity | This initiative adds a user-assigned managed identity and deploys the platform-appropriate Guest Configuration extension to virtual machines that are eligible to be monitored by Guest Configuration policies. This is a prerequisite for all Guest Configuration policies and must be assigned to the policy assignment scope before using any Guest Configuration policy. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Builtin Policies 3/3 Static Policies 0/3 |
Preview | BuiltIn |
| Guest Configuration | be7a78aa-3e10-4153-a5fd-8c6506dbc821 | [Preview]: Windows machines should meet requirements for the Azure compute security baseline | This initiative audits Windows machines with settings that do not meet the Azure compute security baseline. For details, please visit https://aka.ms/gcpol | Builtin Policies 29/29 Static Policies 0/29 |
Preview | BuiltIn |
| Guest Configuration | 095e4ed9-c835-4ab6-9439-b5644362a06c | Audit machines with insecure password security settings | This initiative deploys the policy requirements and audits machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Builtin Policies 9/9 Static Policies 0/9 |
GA | BuiltIn |
| Guest Configuration | ee6f9c39-ca6c-4937-b5b7-f6d9775a6f17 | Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machine(including prerequisites) | Creates a Guest Configuration assignment(including prerequisites) to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. For details, visit https://aka.ms/SetSecureProtocol | Builtin Policies 3/3 Static Policies 0/3 |
GA | BuiltIn |
| Guest Configuration | 12794019-7a00-42cf-95c2-882eed337cc8 | Deploy prerequisites to enable Guest Configuration policies on virtual machines | This initiative adds a system-assigned managed identity and deploys the platform-appropriate Guest Configuration extension to virtual machines that are eligible to be monitored by Guest Configuration policies. This is a prerequisite for all Guest Configuration policies and must be assigned to the policy assignment scope before using any Guest Configuration policy. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Builtin Policies 4/4 Static Policies 0/4 |
GA | BuiltIn |
| Guest Configuration | Enforce-ACSB | Enforce Azure Compute Security Benchmark compliance auditing | Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines. | Builtin Policies 5/5 Static Policies 0/5 ALZ Policies 0/5 |
GA | ALZ |
| Key Vault | Enforce-Guardrails-KeyVault | Enforce recommended guardrails for Azure Key Vault | Enforce recommended guardrails for Azure Key Vault. | Builtin Policies 8/8 Static Policies 0/8 ALZ Policies 0/8 |
GA | ALZ |
| Kubernetes | c047ea8e-9c78-49b2-958b-37e56d291a44 | [Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices | A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service | Builtin Policies 7/7 Static Policies 0/7 |
Preview | BuiltIn |
| Kubernetes | a8640138-9b0a-4a28-b8cb-1666c838647d | Kubernetes cluster pod security baseline standards for Linux-based workloads | This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Builtin Policies 5/5 Static Policies 0/5 |
GA | BuiltIn |
| Kubernetes | 42b8ef37-b724-4e24-bbc8-7a7708edfe00 | Kubernetes cluster pod security restricted standards for Linux-based workloads | This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Builtin Policies 8/8 Static Policies 0/8 |
GA | BuiltIn |
| Managed Identity | 5e4ee281-95a3-442a-bb2a-5ef68cf5181a | [Preview]: Managed Identity Federated Credentials should be of approved types from approved federation sources | Control use of federated credentials for Managed Identities. This initiative incudes policies to block federated identity credentials altogether, to limit use to specific federation provider types, and to limit federation reationships to approved sources. | Builtin Policies 3/3 Static Policies 0/3 |
Preview | BuiltIn |
| Monitoring | 39a366e6-fdde-4f41-bbf8-3757f46d1611 | [Preview]: Configure Azure Defender for SQL agents on virtual machines | Configure virtual machines to automatically install the Azure Defender for SQL agents where the Azure Monitor Agent is installed. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. This policy only applies to VMs in a few regions. | Builtin Policies 1/1 Static Policies 0/1 |
Preview | BuiltIn |
| Monitoring | a15f3269-2e10-458c-87a4-d5989e678a73 | [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines | Configure machines to automatically install the Azure Monitor and Azure Security agents. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. This policy only applies to VMs in a few regions. | Builtin Policies 7/7 Static Policies 0/7 |
Preview | BuiltIn |
| Monitoring | 59e9c3eb-d8df-473b-8059-23fd38ddd0f0 | [Preview]: Enable Azure Monitor for Hybrid VMs with AMA | Enable Azure Monitor for the hybrid virtual machines with AMA. Takes Log Analytics workspace as parameter and asks for an option to enable Processes and Dependencies. | Builtin Policies 5/5 Static Policies 0/5 |
Preview | BuiltIn |
| Monitoring | 9dffaf29-5905-4145-883c-957eb442c226 | [Preview]: Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | Enable Azure Monitor for the virtual machines (VMs) with AMA. Takes Log Analytics workspace as parameter and asks for an option to enable Processes and Dependencies. | Builtin Policies 6/6 Static Policies 0/6 |
Preview | BuiltIn |
| Monitoring | 1f9b0c83-b4fa-4585-a686-72b74aeabcfd | [Preview]: Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) | Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA. Takes Log Analytics workspace as parameter and asks for an option to enable Processes and Dependencies. | Builtin Policies 6/6 Static Policies 0/6 |
Preview | BuiltIn |
| Monitoring | 118f04da-0375-44d1-84e3-0fd9e1849403 | Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule | Monitor and secure your Linux virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | Builtin Policies 4/4 Static Policies 0/4 |
GA | BuiltIn |
| Monitoring | 9575b8b7-78ab-4281-b53b-d3c1ace2260b | Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule | Monitor and secure your Windows virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | Builtin Policies 4/4 Static Policies 0/4 |
GA | BuiltIn |
| Monitoring | Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings to Azure Services | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included | Builtin Policies 17/70 Static Policies 0/70 ALZ Policies 53/70 |
GA | ALZ |
| Monitoring | babf8e94-780b-4b4d-abaa-4830136a8725 | Deploy Linux Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule | Monitor your Linux virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | Builtin Policies 5/5 Static Policies 0/5 |
GA | BuiltIn |
| Monitoring | 0d1b56c6-6d1f-4a5d-8695-b15efbea6b49 | Deploy Windows Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule | Monitor your Windows virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | Builtin Policies 5/5 Static Policies 0/5 |
GA | BuiltIn |
| Monitoring | 1020d527-2764-4230-92cc-7035e4fcf8a7 | Enable audit category group resource logging for supported resources to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to Event Hub for all supported resources | Builtin Policies 33/33 Static Policies 0/33 |
GA | BuiltIn |
| Monitoring | f5b29bc4-feca-4cc6-a58a-772dd5e290a5 | Enable audit category group resource logging for supported resources to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to Log Analytics for all supported resources. | Builtin Policies 33/33 Static Policies 0/33 |
GA | BuiltIn |
| Monitoring | 8d723fb6-6680-45be-9d37-b1a4adb52207 | Enable audit category group resource logging for supported resources to storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to storage for all supported resources. | Builtin Policies 33/33 Static Policies 0/33 |
GA | BuiltIn |
| Monitoring | 75714362-cae7-409e-9b99-a8e5075b7fad | Legacy - Enable Azure Monitor for Virtual Machine Scale Sets | Legacy - Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Use the new initiative named: Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA). Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Builtin Policies 6/6 Static Policies 0/6 |
GA | BuiltIn |
| Monitoring | 55f3eceb-5573-4f18-9695-226972c6d74a | Legacy - Enable Azure Monitor for VMs | Legacy - Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. Use the new initiative named: Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | Builtin Policies 10/10 Static Policies 0/10 |
GA | BuiltIn |
| Network | Deploy-Private-DNS-Zones | Configure Azure PaaS services to use private DNS zones | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | Builtin Policies 37/37 Static Policies 0/37 ALZ Policies 0/37 |
GA | ALZ |
| Network | 62329546-775b-4a3d-a4cb-eb4bb990d2c0 | Flow logs should be configured and enabled for every network security group | Audit for network security groups to verify if flow logs are configured and if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Builtin Policies 2/2 Static Policies 0/2 |
GA | BuiltIn |
| Network | Deny-PublicPaaSEndpoints | Public network access should be disabled for PaaS services | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Builtin Policies 18/20 Static Policies 0/20 ALZ Policies 2/20 |
GA | ALZ |
| Regulatory Compliance | 42a694ed-f65e-42b2-aa9e-8052e9740a92 | [Deprecated]: Azure Security Benchmark v1 | This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center. | Builtin Policies 118/118 Static Policies 0/118 |
Deprecated | BuiltIn |
| Regulatory Compliance | bb522ac1-bc39-4957-b194-429bcd3bcb0b | [Deprecated]: Azure Security Benchmark v2 | This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center | Builtin Policies 159/159 Static Policies 0/159 |
Deprecated | BuiltIn |
| Regulatory Compliance | 8d792a84-723c-4d92-a3c3-e4ed16a2d133 | [Deprecated]: DoD Impact Level 4 | This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative. | Builtin Policies 79/79 Static Policies 0/79 |
Deprecated | BuiltIn |
| Regulatory Compliance | 27272c0b-c225-4cc3-b8b0-f2534b093077 | [Preview]: Australian Government ISM PROTECTED | This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative. | Builtin Policies 54/54 Static Policies 0/54 |
Preview | BuiltIn |
| Regulatory Compliance | 4e50fd13-098b-3206-61d6-d1d78205cb45 | [Preview]: CMMC 2.0 Level 2 | This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative. | Builtin Policies 250/250 Static Policies 0/250 |
Preview | BuiltIn |
| Regulatory Compliance | 92646f03-e39d-47a9-9e24-58d60ef49af8 | [Preview]: Motion Picture Association of America (MPAA) | This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init. | Builtin Policies 36/36 Static Policies 0/36 |
Preview | BuiltIn |
| Regulatory Compliance | d0d5578d-cc08-2b22-31e3-f525374f235a | [Preview]: Reserve Bank of India - IT Framework for Banks | This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfbanks-initiative. | Builtin Policies 175/175 Static Policies 0/175 |
Preview | BuiltIn |
| Regulatory Compliance | 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c | [Preview]: Reserve Bank of India - IT Framework for NBFC | This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfnbfc-initiative. | Builtin Policies 137/137 Static Policies 0/137 |
Preview | BuiltIn |
| Regulatory Compliance | 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 | [Preview]: SWIFT CSP-CSCF v2020 | This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init. | Builtin Policies 59/59 Static Policies 0/59 |
Preview | BuiltIn |
| Regulatory Compliance | abf84fac-f817-a70c-14b5-47eec767458a | [Preview]: SWIFT CSP-CSCF v2021 | This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init. | Builtin Policies 138/138 Static Policies 0/138 |
Preview | BuiltIn |
| Regulatory Compliance | 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 | ACAT for Microsoft 365 Certification | App Compliance Automation Tool for Microsoft 365 (ACAT) simplifies the process to achieve Microsoft 365 Certification, see https://aka.ms/acat. This certification ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. This initiative includes policies that address a subset of the Microsoft 365 Certification controls. Additional policies will be added in upcoming releases. | Builtin Policies 24/24 Static Policies 0/24 |
GA | BuiltIn |
| Regulatory Compliance | 4c4a5f27-de81-430b-b4e5-9cbd50595a87 | Canada Federal PBMM | This initiative includes policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/canadafederalpbmm-init. | Builtin Policies 57/57 Static Policies 0/57 |
GA | BuiltIn |
| Regulatory Compliance | 1a5bb27d-173f-493e-9568-eb56638dde4d | CIS Microsoft Azure Foundations Benchmark v1.1.0 | The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.1.0 controls. For more information, visit https://aka.ms/cisazure110-initiative | Builtin Policies 156/156 Static Policies 0/156 |
GA | BuiltIn |
| Regulatory Compliance | 612b5213-9160-4969-8578-1518bd2a000c | CIS Microsoft Azure Foundations Benchmark v1.3.0 | The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit https://aka.ms/cisazure130-initiative | Builtin Policies 169/169 Static Policies 0/169 |
GA | BuiltIn |
| Regulatory Compliance | c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 | CIS Microsoft Azure Foundations Benchmark v1.4.0 | The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.4.0 controls. For more information, visit https://aka.ms/cisazure130-initiative | Builtin Policies 168/168 Static Policies 0/168 |
GA | BuiltIn |
| Regulatory Compliance | b5629c75-5c77-4422-87b9-2509e680f8de | CMMC Level 3 | This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative. | Builtin Policies 160/160 Static Policies 0/160 |
GA | BuiltIn |
| Regulatory Compliance | d5264498-16f4-418a-b659-fa7ef418175f | FedRAMP High | FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp | Builtin Policies 735/735 Static Policies 0/735 |
GA | BuiltIn |
| Regulatory Compliance | e95f5a9f-57ad-4d03-bb0b-b1d16db93693 | FedRAMP Moderate | FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/ | Builtin Policies 666/666 Static Policies 0/666 |
GA | BuiltIn |
| Regulatory Compliance | a169a624-5599-4385-a696-c8d643089fab | HITRUST/HIPAA | Health Information Trust Alliance (HITRUST) helps organizations from all sectors-but especially healthcare-effectively manage data, information risk, and compliance. HITRUST certification means that the organization has undergone a thorough assessment of the information security program. These policies address a subset of HITRUST controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2 | Builtin Policies 610/610 Static Policies 0/610 |
GA | BuiltIn |
| Regulatory Compliance | 105e0327-6175-4eb2-9af4-1fba43bdb39d | IRS1075 September 2016 | This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-init. | Builtin Policies 60/60 Static Policies 0/60 |
GA | BuiltIn |
| Regulatory Compliance | 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 | ISO 27001:2013 | The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init | Builtin Policies 460/460 Static Policies 0/460 |
GA | BuiltIn |
| Regulatory Compliance | d1a462af-7e6d-4901-98ac-61570b4ed22a | New Zealand ISM Restricted | This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. | Builtin Policies 127/127 Static Policies 0/127 |
GA | BuiltIn |
| Regulatory Compliance | 93d2179e-3068-c82f-2428-d614ae836a04 | New Zealand ISM Restricted v3.5 | This initiative includes policies that address a subset of New Zealand Information Security Manual v3.5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. | Builtin Policies 165/165 Static Policies 0/165 |
GA | BuiltIn |
| Regulatory Compliance | 03055927-78bd-4236-86c0-f36125a10dc9 | NIST SP 800-171 Rev. 2 | The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171 | Builtin Policies 465/465 Static Policies 0/465 |
GA | BuiltIn |
| Regulatory Compliance | cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f | NIST SP 800-53 Rev. 4 | National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative | Builtin Policies 736/736 Static Policies 0/736 |
GA | BuiltIn |
| Regulatory Compliance | 179d1daa-458f-4e47-8086-2a68d0d6c38f | NIST SP 800-53 Rev. 5 | National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative | Builtin Policies 721/721 Static Policies 0/721 |
GA | BuiltIn |
| Regulatory Compliance | c676748e-3af9-4e22-bc28-50feed564afb | PCI DSS v4 | The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data. These policies address a subset of PCI-DSS v4 controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/pci-dss-3-2-1 | Builtin Policies 277/277 Static Policies 0/277 |
GA | BuiltIn |
| Regulatory Compliance | 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 | PCI v3.2.1:2018 | This initiative includes policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/pciv321-init. | Builtin Policies 36/36 Static Policies 0/36 |
GA | BuiltIn |
| Regulatory Compliance | 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 | RMIT Malaysia | This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative. | Builtin Policies 209/209 Static Policies 0/209 |
GA | BuiltIn |
| Regulatory Compliance | 4054785f-702b-4a98-9215-009cbd58b141 | SOC 2 Type 2 | A System and Organization Controls (SOC) 2 is a report based on the Trust Service Principles and Criteria established by the American Institute of Certified Public Accountants (AICPA). The Report evaluates an organization's information system relevant to the following principles: security, availability, processing integrity, confidentiality and privacy. These policies address a subset of SOC 2 Type 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-soc-2 | Builtin Policies 320/320 Static Policies 0/320 |
GA | BuiltIn |
| Regulatory Compliance | 7bc7cd6c-4114-ff31-3cac-59be3157596d | SWIFT CSP-CSCF v2022 | SWIFT's Customer Security Programme (CSP) helps financial institutions ensure their defences against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF). These policies address a subset of SWIFT controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/swift-cscf-v2021 | Builtin Policies 343/343 Static Policies 0/343 |
GA | BuiltIn |
| Regulatory Compliance | 3937f550-eedd-4639-9c5e-294358be442e | UK OFFICIAL and UK NHS | This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/ukofficial-init and https://aka.ms/uknhs-init. | Builtin Policies 57/57 Static Policies 0/57 |
GA | BuiltIn |
| Sandbox | Enforce-ALZ-Sandbox | Enforce policies in the Sandbox Landing Zone | Enforce policies in the Sandbox Landing Zone. | Builtin Policies 1/2 Static Policies 0/2 ALZ Policies 1/2 |
GA | ALZ |
| SDN | f1535064-3294-48fa-94e2-6e83095a5c08 | Audit Public Network Access | Audit Azure resources that allow access from the public internet | Builtin Policies 36/36 Static Policies 0/36 |
GA | BuiltIn |
| SDN | 7379ef4c-89b0-48b6-a5cc-fd3a75eaef93 | Evaluate Private Link Usage Across All Supported Azure Resources | Compliant resources have at least one approved private endpoint connection | Builtin Policies 30/30 Static Policies 0/30 |
GA | BuiltIn |
| Security Center | 362ab02d-c362-417e-a525-45805d58e21d | [Preview]: Configure machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for Cloud collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target machines must be in a supported location. | Builtin Policies 13/13 Static Policies 0/13 |
Preview | BuiltIn |
| Security Center | 500ab3a2-f1bd-4a5a-8e47-3e09d9a294c3 | [Preview]: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for Cloud collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target machines must be in a supported location. | Builtin Policies 13/13 Static Policies 0/13 |
Preview | BuiltIn |
| Security Center | e20d08c5-6d64-656d-6465-ce9e37fd0ebc | [Preview]: Deploy Microsoft Defender for Endpoint agent | Deploy Microsoft Defender for Endpoint agent on applicable images. | Builtin Policies 4/4 Static Policies 0/4 |
Preview | BuiltIn |
| Security Center | e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e | Configure Advanced Threat Protection to be enabled on open-source relational databases | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. | Builtin Policies 3/3 Static Policies 0/3 |
GA | BuiltIn |
| Security Center | 9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 | Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Builtin Policies 3/3 Static Policies 0/3 |
GA | BuiltIn |
| Security Center | 9d46421d-1a48-4636-8d1a-5525ed29172d | Configure Microsoft Defender for Databases to be enabled | Configure Microsoft Defender for Databases to protect your Azure SQL Databases, Managed Instances, Open-source relational databases and Cosmos DB. | Builtin Policies 4/4 Static Policies 0/4 |
GA | BuiltIn |
| Security Center | Deploy-MDFC-Config | Deploy Microsoft Defender for Cloud configuration | Deploy Microsoft Defender for Cloud configuration | Builtin Policies 17/18 Static Policies 0/18 ALZ Policies 1/18 |
GA | ALZ |
| Security Center | 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 | Microsoft cloud security benchmark | The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. | Builtin Policies 221/221 Static Policies 0/221 |
GA | BuiltIn |
| SQL | Deploy-Sql-Security | Deploy SQL Database built-in SQL security configuration | Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment | Builtin Policies 1/4 Static Policies 0/4 ALZ Policies 3/4 |
GA | ALZ |
| Tags | 1bb84455-9e6e-434c-8db6-fa6d03a67e87 | Ensures resources to not have a specifc tag. | Denies the creation of a resource that contains the given tag. Does not apply to resource groups. | Builtin Policies 1/1 Static Policies 0/1 |
GA | BuiltIn |
| Trusted Launch | 281d9e47-d14d-4f05-b8eb-18f2c4a034ff | [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs | Configure the Trusted Launch enabled virtual machines to automatically install the Guest Attestation extension and enable system-assigned managed identity to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. For more details, please refer to the following link - https://aka.ms/trustedlaunch | Builtin Policies 7/7 Static Policies 0/7 |
Preview | BuiltIn |