Azure Policy Regulatory Compliance controls for Azure App Service

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure App Service. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Latest TLS version should be used in your API App 1.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Latest TLS version should be used in your Function App 1.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Latest TLS version should be used in your Web App 1.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Remote debugging should be turned off for API Apps 1.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Remote debugging should be turned off for Function Apps 1.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Remote debugging should be turned off for Web Applications 1.0.0
Guidelines for Software Development - Web application development 1424 Web browser-based security controls - 1424 CORS should not allow every resource to access your Web Applications 1.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 API App should only be accessible over HTTPS 1.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 Function App should only be accessible over HTTPS 1.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 Web Application should only be accessible over HTTPS 1.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity Management IM-1 Standardize Azure Active Directory as the central identity and authentication system Managed identity should be used in your API App 2.0.0
Identity Management IM-1 Standardize Azure Active Directory as the central identity and authentication system Managed identity should be used in your Function App 2.0.0
Identity Management IM-1 Standardize Azure Active Directory as the central identity and authentication system Managed identity should be used in your Web App 2.0.0
Identity Management IM-2 Manage application identities securely and automatically Managed identity should be used in your API App 2.0.0
Identity Management IM-2 Manage application identities securely and automatically Managed identity should be used in your Function App 2.0.0
Identity Management IM-2 Manage application identities securely and automatically Managed identity should be used in your Web App 2.0.0
Data Protection DP-4 Encrypt sensitive information in transit API App should only be accessible over HTTPS 1.0.0
Data Protection DP-4 Encrypt sensitive information in transit FTPS only should be required in your API App 2.0.0
Data Protection DP-4 Encrypt sensitive information in transit FTPS only should be required in your Function App 2.0.0
Data Protection DP-4 Encrypt sensitive information in transit FTPS should be required in your Web App 2.0.0
Data Protection DP-4 Encrypt sensitive information in transit Function App should only be accessible over HTTPS 1.0.0
Data Protection DP-4 Encrypt sensitive information in transit Latest TLS version should be used in your API App 1.0.0
Data Protection DP-4 Encrypt sensitive information in transit Latest TLS version should be used in your Function App 1.0.0
Data Protection DP-4 Encrypt sensitive information in transit Latest TLS version should be used in your Web App 1.0.0
Data Protection DP-4 Encrypt sensitive information in transit Web Application should only be accessible over HTTPS 1.0.0
Logging and Threat Detection LT-4 Enable logging for Azure resources Diagnostic logs in App Services should be enabled 2.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services CORS should not allow every resource to access your API App 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services CORS should not allow every resource to access your Function Apps 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services CORS should not allow every resource to access your Web Applications 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Remote debugging should be turned off for API Apps 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Remote debugging should be turned off for Function Apps 1.0.0
Posture and Vulnerability Management PV-2 Sustain secure configurations for Azure services Remote debugging should be turned off for Web Applications 1.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network App Service should use a virtual network service endpoint 1.0.0
Network Security 1.3 Protect critical web applications CORS should not allow every resource to access your API App 1.0.0
Network Security 1.3 Protect critical web applications CORS should not allow every resource to access your Function Apps 1.0.0
Network Security 1.3 Protect critical web applications CORS should not allow every resource to access your Web Applications 1.0.0
Network Security 1.3 Protect critical web applications Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Network Security 1.3 Protect critical web applications Remote debugging should be turned off for API Apps 1.0.0
Network Security 1.3 Protect critical web applications Remote debugging should be turned off for Function Apps 1.0.0
Network Security 1.3 Protect critical web applications Remote debugging should be turned off for Web Applications 1.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources Diagnostic logs in App Services should be enabled 2.0.0
Data Protection 4.4 Encrypt all sensitive information in transit API App should only be accessible over HTTPS 1.0.0
Data Protection 4.4 Encrypt all sensitive information in transit FTPS only should be required in your API App 2.0.0
Data Protection 4.4 Encrypt all sensitive information in transit FTPS only should be required in your Function App 2.0.0
Data Protection 4.4 Encrypt all sensitive information in transit FTPS should be required in your Web App 2.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Function App should only be accessible over HTTPS 1.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Latest TLS version should be used in your API App 1.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Latest TLS version should be used in your Function App 1.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Latest TLS version should be used in your Web App 1.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Web Application should only be accessible over HTTPS 1.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
Secure Configuration 7.12 Manage identities securely and automatically Managed identity should be used in your API App 2.0.0
Secure Configuration 7.12 Manage identities securely and automatically Managed identity should be used in your Function App 2.0.0
Secure Configuration 7.12 Manage identities securely and automatically Managed identity should be used in your Web App 2.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-4 Information Flow Enforcement CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Remote debugging should be turned off for Web Applications 1.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Web Application should only be accessible over HTTPS 1.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
AppService 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your API app 1.0.0
AppService 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your Function app 1.0.0
AppService 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your web app 1.0.0
AppService 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Web Application should only be accessible over HTTPS 1.0.0
AppService 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your API App 1.0.0
AppService 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your Function App 1.0.0
AppService 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your Web App 1.0.0
AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your API App 2.0.0
AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your Function App 2.0.0
AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your Web App 2.0.0
AppService 9.7 Ensure that 'PHP version' is the latest, if used to run the web app Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
AppService 9.7 Ensure that 'PHP version' is the latest, if used to run the web app Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
AppService 9.8 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
AppService 9.8 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
AppService 9.8 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
AppService 9.9 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
AppService 9.9 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
AppService 9.9 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
AppService 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
AppService 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
AppService 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Logging and Monitoring 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Diagnostic logs in App Services should be enabled 2.0.0
App Service 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your API app 1.0.0
App Service 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your Function app 1.0.0
App Service 9.1 Ensure App Service Authentication is set on Azure App Service Authentication should be enabled on your web app 1.0.0
App Service 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Web Application should only be accessible over HTTPS 1.0.0
App Service 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your API App 1.0.0
App Service 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your Function App 1.0.0
App Service 9.3 Ensure web app is using the latest version of TLS encryption Latest TLS version should be used in your Web App 1.0.0
App Service 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
App Service 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
App Service 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
App Service 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your API App 2.0.0
App Service 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your Function App 2.0.0
App Service 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Managed identity should be used in your Web App 2.0.0
App Service 9.6 Ensure that 'PHP version' is the latest, if used to run the web app Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
App Service 9.6 Ensure that 'PHP version' is the latest, if used to run the web app Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
App Service 9.7 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
App Service 9.7 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
App Service 9.7 Ensure that 'Python version' is the latest, if used to run the web app Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
App Service 9.8 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
App Service 9.8 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
App Service 9.8 Ensure that 'Java version' is the latest, if used to run the web app Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
App Service 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
App Service 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
App Service 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
App Service 9.10 Ensure FTP deployments are disabled FTPS only should be required in your API App 2.0.0
App Service 9.10 Ensure FTP deployments are disabled FTPS only should be required in your Function App 2.0.0
App Service 9.10 Ensure FTP deployments are disabled FTPS should be required in your Web App 2.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). CORS should not allow every resource to access your API App 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). CORS should not allow every resource to access your Function Apps 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Remote debugging should be turned off for API Apps 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. API App should only be accessible over HTTPS 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. CORS should not allow every resource to access your API App 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. CORS should not allow every resource to access your Function Apps 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Function App should only be accessible over HTTPS 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Web Application should only be accessible over HTTPS 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Remote debugging should be turned off for API Apps 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. CORS should not allow every resource to access your API App 1.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. CORS should not allow every resource to access your Function Apps 1.0.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Diagnostic logs in App Services should be enabled 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. CORS should not allow every resource to access your API App 1.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. CORS should not allow every resource to access your Function Apps 1.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. CORS should not allow every resource to access your Web Applications 1.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Remote debugging should be turned off for API Apps 1.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Remote debugging should be turned off for Function Apps 1.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Remote debugging should be turned off for Web Applications 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. API App should only be accessible over HTTPS 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Function App should only be accessible over HTTPS 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Latest TLS version should be used in your API App 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Latest TLS version should be used in your Function App 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Latest TLS version should be used in your Web App 1.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). CORS should not allow every resource to access your API App 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). CORS should not allow every resource to access your Function Apps 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). CORS should not allow every resource to access your Web Applications 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Web Application should only be accessible over HTTPS 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Latest TLS version should be used in your API App 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Latest TLS version should be used in your Function App 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Latest TLS version should be used in your Web App 1.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Managed identity should be used in your API App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Function App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Web App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your API App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Function App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Web App 2.0.0
Access Control AC-4 Information Flow Enforcement CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Web Applications 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Diagnostic logs in App Services should be enabled 2.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your API App 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Web Applications 1.0.0
Configuration Management CM-6 Configuration Settings Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for API Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Web Applications 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Web App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should enable internal encryption 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should enable internal encryption 1.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Managed identity should be used in your API App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Function App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Web App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your API App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Function App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Web App 2.0.0
Access Control AC-4 Information Flow Enforcement CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Web Applications 1.0.0
Audit and Accountability AU-12 Audit Generation Diagnostic logs in App Services should be enabled 2.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your API App 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Web Applications 1.0.0
Configuration Management CM-6 Configuration Settings Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for API Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Web Applications 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Web App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should enable internal encryption 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should enable internal encryption 1.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Remote Diagnostic and Configuration Port Protection 1194.01l2Organizational.2 - 01.l Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. Remote debugging should be turned off for Web Applications 1.0.0
Remote Diagnostic and Configuration Port Protection 1195.01l3Organizational.1 - 01.l The organization reviews the information system within every three hundred and sixty- five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. Remote debugging should be turned off for Function Apps 1.0.0
Remote Diagnostic and Configuration Port Protection 1196.01l3Organizational.24 - 01.l The organization identifies unauthorized (blacklisted) software on the information system, prevents program execution in accordance with a list of unauthorized (blacklisted) software programs, employs an allow-all, deny-by exception policy to prohibit execution of known unauthorized (blacklisted) software, and reviews and updates the list of unauthorized (blacklisted) software programs annually. Remote debugging should be turned off for API Apps 1.0.0
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. App Service should use a virtual network service endpoint 1.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. App Service should use a virtual network service endpoint 1.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. App Service should use a virtual network service endpoint 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. API App should only be accessible over HTTPS 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Function App should only be accessible over HTTPS 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Latest TLS version should be used in your API App 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Latest TLS version should be used in your Function App 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Latest TLS version should be used in your Web App 1.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Web Application should only be accessible over HTTPS 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. API App should only be accessible over HTTPS 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Function App should only be accessible over HTTPS 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Latest TLS version should be used in your API App 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Latest TLS version should be used in your Function App 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Latest TLS version should be used in your Web App 1.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Web Application should only be accessible over HTTPS 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. API App should only be accessible over HTTPS 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Function App should only be accessible over HTTPS 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Latest TLS version should be used in your API App 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Latest TLS version should be used in your Function App 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Latest TLS version should be used in your Web App 1.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Web Application should only be accessible over HTTPS 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. API App should only be accessible over HTTPS 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Function App should only be accessible over HTTPS 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Latest TLS version should be used in your API App 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Latest TLS version should be used in your Function App 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Latest TLS version should be used in your Web App 1.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Web Application should only be accessible over HTTPS 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. API App should only be accessible over HTTPS 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Function App should only be accessible over HTTPS 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Latest TLS version should be used in your API App 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Latest TLS version should be used in your Function App 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Latest TLS version should be used in your Web App 1.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Web Application should only be accessible over HTTPS 1.0.0
Identification of Risks Related to External Parties 1402.05i1Organizational.45 - 05.i Remote access connections between the organization and external parties are encrypted. Function App should only be accessible over HTTPS 1.0.0
Identification of Risks Related to External Parties 1403.05i1Organizational.67 - 05.i Access granted to external parties is limited to the minimum necessary and granted only for the duration required. Web Application should only be accessible over HTTPS 1.0.0
Identification of Risks Related to External Parties 1404.05i2Organizational.1 - 05.i Due diligence of the external party includes interviews, document review, checklists, certification reviews (e.g. HITRUST) or other remote means. API App should only be accessible over HTTPS 1.0.0
Audit Logging 1209.09aa3System.2 - 09.aa The information system generates audit records containing the following detailed information: (i) filename accessed; (ii) program or command used to initiate the event; and (iii) source and destination addresses. Diagnostic logs in App Services should be enabled 2.0.0
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. App Service should use a virtual network service endpoint 1.0.0
Information Exchange Policies and Procedures 0662.09sCSPOrganizational.2 - 09.s Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Information Exchange Policies and Procedures 0901.09s1Organizational.1 - 09.s The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. CORS should not allow every resource to access your Web Applications 1.0.0
Information Exchange Policies and Procedures 0902.09s2Organizational.13 - 09.s Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. CORS should not allow every resource to access your Function Apps 1.0.0
Information Exchange Policies and Procedures 0911.09s1Organizational.2 - 09.s The organization establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to (i) access the information system from external information systems; and (ii) process, store or transmit organization-controlled information using external information systems. CORS should not allow every resource to access your API App 1.0.0
Information Exchange Policies and Procedures 0912.09s1Organizational.4 - 09.s Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. Remote debugging should be turned off for Web Applications 1.0.0
Information Exchange Policies and Procedures 0913.09s1Organizational.5 - 09.s Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. Remote debugging should be turned off for Function Apps 1.0.0
Information Exchange Policies and Procedures 0914.09s1Organizational.6 - 09.s The organization ensures that communication protection requirements, including the security of exchanges of information, is the subject of policy development and compliance audits. Remote debugging should be turned off for API Apps 1.0.0
Information Exchange Policies and Procedures 0915.09s2Organizational.2 - 09.s The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Information Exchange Policies and Procedures 0916.09s2Organizational.4 - 09.s The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. CORS should not allow every resource to access your Web Applications 1.0.0
Information Exchange Policies and Procedures 0960.09sCSPOrganizational.1 - 09.s Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. CORS should not allow every resource to access your Function Apps 1.0.0
Information Exchange Policies and Procedures 1325.09s1Organizational.3 - 09.s Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). Remote debugging should be turned off for Function Apps 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. API App should only be accessible over HTTPS 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Function App should only be accessible over HTTPS 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Latest TLS version should be used in your API App 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Latest TLS version should be used in your Function App 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Latest TLS version should be used in your Web App 1.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Web Application should only be accessible over HTTPS 1.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.4 Information Flow Enforcement (AC-4) CORS should not allow every resource to access your Web Applications 1.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Remote debugging should be turned off for API Apps 1.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Remote debugging should be turned off for Function Apps 1.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Remote debugging should be turned off for Web Applications 1.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) API App should only be accessible over HTTPS 1.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Web Application should only be accessible over HTTPS 1.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls API App should only be accessible over HTTPS 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Function App should only be accessible over HTTPS 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Web Application should only be accessible over HTTPS 1.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Software security SS-2 14.1.8 Developing hardened SOEs Remote debugging should be turned off for API Apps 1.0.0
Software security SS-2 14.1.8 Developing hardened SOEs Remote debugging should be turned off for Function Apps 1.0.0
Software security SS-2 14.1.8 Developing hardened SOEs Remote debugging should be turned off for Web Applications 1.0.0
Software security SS-9 14.5.8 Web applications API App should only be accessible over HTTPS 1.0.0
Software security SS-9 14.5.8 Web applications CORS should not allow every resource to access your API App 1.0.0
Software security SS-9 14.5.8 Web applications CORS should not allow every resource to access your Function Apps 1.0.0
Software security SS-9 14.5.8 Web applications CORS should not allow every resource to access your Web Applications 1.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
Software security SS-9 14.5.8 Web applications Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
Software security SS-9 14.5.8 Web applications Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
Software security SS-9 14.5.8 Web applications Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
Software security SS-9 14.5.8 Web applications Function App should only be accessible over HTTPS 1.0.0
Software security SS-9 14.5.8 Web applications Web Application should only be accessible over HTTPS 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identitfication Managed identity should be used in your API App 2.0.0
Access Control and Passwords AC-2 16.1.32 System User Identitfication Managed identity should be used in your Function App 2.0.0
Access Control and Passwords AC-2 16.1.32 System User Identitfication Managed identity should be used in your Web App 2.0.0
Access Control and Passwords AC-17 16.6.9 Events to be logged Diagnostic logs in App Services should be enabled 2.0.0
Cryptography CR-7 17.4.16 Using TLS FTPS only should be required in your API App 2.0.0
Cryptography CR-7 17.4.16 Using TLS FTPS only should be required in your Function App 2.0.0
Cryptography CR-7 17.4.16 Using TLS FTPS should be required in your Web App 2.0.0
Cryptography CR-7 17.4.16 Using TLS Latest TLS version should be used in your API App 1.0.0
Cryptography CR-7 17.4.16 Using TLS Latest TLS version should be used in your Function App 1.0.0
Cryptography CR-7 17.4.16 Using TLS Latest TLS version should be used in your Web App 1.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Remote debugging should be turned off for API Apps 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Remote debugging should be turned off for Function Apps 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Remote debugging should be turned off for Web Applications 1.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. CORS should not allow every resource to access your Web Applications 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Remote debugging should be turned off for API Apps 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Remote debugging should be turned off for Function Apps 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Remote debugging should be turned off for Web Applications 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. API App should only be accessible over HTTPS 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your API App 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. API App should only be accessible over HTTPS 1.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Web Application should only be accessible over HTTPS 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Latest TLS version should be used in your API App 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Latest TLS version should be used in your Function App 1.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Latest TLS version should be used in your Web App 1.0.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Managed identity should be used in your API App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Function App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Web App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your API App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Function App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Web App 2.0.0
Access Control AC-4 Information Flow Enforcement CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Remote debugging should be turned off for Web Applications 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Diagnostic logs in App Services should be enabled 2.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your API App 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Web Applications 1.0.0
Configuration Management CM-6 Configuration Settings Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for API Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Web Applications 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Web App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should enable internal encryption 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should enable internal encryption 1.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Managed identity should be used in your API App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Function App 2.0.0
Access Control AC-2 Account Management Managed identity should be used in your Web App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your API App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Function App 2.0.0
Access Control AC-3 Access Enforcement Managed identity should be used in your Web App 2.0.0
Access Control AC-4 Information Flow Enforcement CORS should not allow every resource to access your Web Applications 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 Remote Access Remote debugging should be turned off for Web Applications 1.0.0
Access Control AC-17 (1) Monitoring and Control Remote debugging should be turned off for API Apps 1.0.0
Access Control AC-17 (1) Monitoring and Control Remote debugging should be turned off for Function Apps 1.0.0
Access Control AC-17 (1) Monitoring and Control Remote debugging should be turned off for Web Applications 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 Audit Record Generation Diagnostic logs in App Services should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Diagnostic logs in App Services should be enabled 2.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your API App 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings CORS should not allow every resource to access your Web Applications 1.0.0
Configuration Management CM-6 Configuration Settings Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 1.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 1.0.1
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for API Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Function Apps 1.0.0
Configuration Management CM-6 Configuration Settings Remote debugging should be turned off for Web Applications 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Managed identity should be used in your Web App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your API App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Function App 2.0.0
Identification and Authentication IA-4 Identifier Management Managed identity should be used in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection API App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection FTPS only should be required in your API App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection FTPS only should be required in your Function App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection FTPS should be required in your Web App 2.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function App should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Latest TLS version should be used in your API App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Latest TLS version should be used in your Function App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Latest TLS version should be used in your Web App 1.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Web Application should only be accessible over HTTPS 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should enable internal encryption 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should enable internal encryption 1.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 Flaw Remediation Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'HTTP Version' is the latest, if used to run the API app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'HTTP Version' is the latest, if used to run the Function app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'HTTP Version' is the latest, if used to run the Web app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Java version' is the latest, if used as a part of the API app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Java version' is the latest, if used as a part of the Function app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Java version' is the latest, if used as a part of the Web app 2.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'PHP version' is the latest, if used as a part of the API app 2.1.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'PHP version' is the latest, if used as a part of the WEB app 2.1.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Python version' is the latest, if used as a part of the API app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Python version' is the latest, if used as a part of the Function app 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Ensure that 'Python version' is the latest, if used as a part of the Web app 3.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection API App should only be accessible over HTTPS 1.0.0
Data in transit protection 1 Data in transit protection Function App should only be accessible over HTTPS 1.0.0
Data in transit protection 1 Data in transit protection Web Application should only be accessible over HTTPS 1.0.0
External interface protection 11 External interface protection Remote debugging should be turned off for API Apps 1.0.0
External interface protection 11 External interface protection Remote debugging should be turned off for Function Apps 1.0.0
External interface protection 11 External interface protection Remote debugging should be turned off for Web Applications 1.0.0

Next steps