Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc-enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Audit Windows machines that have the specified members in the Administrators group 1.0.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Windows machines should meet requirements for 'Security Settings - Account Policies' 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Audit Windows machines that have the specified members in the Administrators group 1.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Windows web servers should be configured to use secure communication protocols 3.0.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Windows web servers should be configured to use secure communication protocols 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Audit Windows machines that have the specified members in the Administrators group 1.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Audit Windows machines that have the specified members in the Administrators group 1.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Audit Windows machines that have the specified members in the Administrators group 1.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that have accounts without passwords 1.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity Management IM-4 Use strong authentication controls for all Azure Active Directory based access Authentication to Linux machines should require SSH keys 2.0.1
Data Protection DP-4 Encrypt sensitive information in transit Windows web servers should be configured to use secure communication protocols 3.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Windows machines should meet requirements of the Azure compute security baseline 1.0.1-preview
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments SQL servers on machines should have vulnerability findings resolved 1.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Endpoint protection health issues should be resolved on your machines 1.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Endpoint protection should be installed on your machines 1.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 1.1.1
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Endpoint protection health issues should be resolved on your machines 1.0.0
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Endpoint protection should be installed on your machines 1.0.0

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Administrative Templates - Network' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Logging and Monitoring 2.2 Configure central security log management Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have the specified members in the Administrators group 1.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-6 Least Privilege Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-6 Least Privilege Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 3.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows web servers should be configured to use secure communication protocols 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 2.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows web servers should be configured to use secure communication protocols 3.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 1.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 2.0.1
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 1.0.1-preview
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 2.0.1
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 1.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 2.0.1
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 1.0.1-preview
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 2.0.1
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Privilege Management 1148.01c2System.78 - 01.c The organization restricts access to privileged functions and all security-relevant information. Windows machines should meet requirements for 'Security Options - Accounts' 2.0.0
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
User Identification and Authentication 1123.01q1System.2 - 01.q Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. Audit Windows machines that have extra accounts in the Administrators group 1.0.0
User Identification and Authentication 1125.01q2System.1 - 01.q Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 1127.01q2System.3 - 01.q Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Monitoring System Use 12102.09ab1Organizational.4 - 09.ab The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Monitoring System Use 1217.09ab3System.3 - 09.ab Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Segregation of Duties 1232.09c3Organizational.12 - 09.c Access for individuals responsible for administering  access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Segregation of Duties 1277.09c2Organizational.4 - 09.c The initiation of an event is separated from its authorization to reduce the possibility of collusion. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Windows machines should meet requirements for 'Windows Firewall Properties' 2.0.0
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
On-line Transactions 0945.09y1Organizational.3 - 09.y Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). Audit Windows machines that do not contain the specified certificates in Trusted Root 1.0.1
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'Security Options - Audit' 2.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'System Audit Policies - Account Management' 2.0.0
Change Control Procedures 0635.10k1Organizational.12 - 10.k Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0636.10k2Organizational.1 - 10.k The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0637.10k2Organizational.2 - 10.k The organization has developed, documented, and implemented a configuration management plan for the information system. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0638.10k2Organizational.34569 - 10.k Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0639.10k2Organizational.78 - 10.k Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0640.10k2Organizational.1012 - 10.k Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0641.10k2Organizational.11 - 10.k The organization does not use automated updates on critical systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0642.10k3Organizational.12 - 10.k The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0643.10k3Organizational.3 - 10.k The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0644.10k3Organizational.4 - 10.k The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Business Continuity and Risk Assessment 1637.12b2Organizational.2 - 12.b Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. Windows machines should meet requirements for 'Security Options - Recovery console' 2.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not store passwords using reversible encryption 1.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Windows web servers should be configured to use secure communication protocols 3.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 1.0.0
Access control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 1.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Audit Linux machines that have accounts without passwords 1.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Windows machines should meet requirements for 'Security Settings - Account Policies' 2.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control and Passwords AC-13 16.5.10 Authentication Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Cryptography CR-7 17.4.16 Using TLS Windows web servers should be configured to use secure communication protocols 3.0.0
Cryptography CR-9 17.5.7 Authentication mechanisms Authentication to Linux machines should require SSH keys 2.0.1

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 3.0.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 1.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 2.0.1
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 1.0.1-preview
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 2.0.1
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 1.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 2.0.1
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC-17 (1) Monitoring and Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 1.1.1-preview
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 1.0.1-preview
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 2.0.1
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Windows web servers should be configured to use secure communication protocols 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 1.1.1

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection Windows web servers should be configured to use secure communication protocols 3.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that have accounts without passwords 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0

Next steps