Azure Policy built-in initiative definitions

This page is an index of Azure Policy built-in initiative definitions.

The name on each built-in links to the initiative definition source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To jump to a specific category, use the menu on the right side of the page. Otherwise, use Ctrl-F to use your browser's search feature.

Cosmos DB

Name Description Policies Version
Enable Azure Cosmos DB throughput policy Enable throughput control for Azure Cosmos DB resources in the specified scope (Management group, Subscription or resource group). Takes max throughput as parameter. Use this policy to help enforce throughput control via the resource provider. 2 1.0.0

Guest Configuration

Name Description Policies Version
[Preview]: [Preview]: Windows machines should meet requirements for the Azure compute security baseline This initiative audits Windows machines with settings that do not meet the Azure compute security baseline. For details, please visit https://aka.ms/gcpol 29 2.0.1-preview
Audit machines with insecure password security settings This initiative deploys the policy requirements and audits machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 9 1.0.0
Deploy prerequisites to enable Guest Configuration policies on virtual machines This initiative adds a system-assigned managed identity and deploys the platform-appropriate Guest Configuration extension to virtual machines that are eligible to be monitored by Guest Configuration policies. This is a prerequisite for all Guest Configuration policies and must be assigned to the policy assignment scope before using any Guest Configuration policy. For more information on Guest Configuration, visit https://aka.ms/gcpol. 4 1.0.0

Kubernetes

Name Description Policies Version
Kubernetes cluster pod security baseline standards for Linux-based workloads This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. 5 1.2.0
Kubernetes cluster pod security restricted standards for Linux-based workloads This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. 8 2.3.0

Monitoring

Name Description Policies Version
[Preview]: [Preview]: Configure Azure Defender for SQL agents on virtual machines Configure virtual machines to automatically install the Azure Defender for SQL agents where the Azure Monitor Agent is installed. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. This policy only applies to VMs in a few regions. 2 1.0.0-preview
[Preview]: [Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines Configure machines to automatically install the Azure Monitor and Azure Security agents. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. This policy only applies to VMs in a few regions. 7 3.0.0-preview
Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule Monitor and secure your Linux virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. 4 2.0.0
Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule Monitor and secure your Windows virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. 4 2.0.0
Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. 6 1.0.1
Enable Azure Monitor for VMs Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. 10 2.0.0

Network

Name Description Policies Version
Flow logs should be configured and enabled for every network security group Audit for network security groups to verify if flow logs are configured and if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. 2 1.0.0

Regulatory Compliance

Name Description Policies Version
[Preview]: [Preview]: Australian Government ISM PROTECTED This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative. 57 7.0.0-preview
[Preview]: [Preview]: Motion Picture Association of America (MPAA) This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init. 36 4.0.3-preview
[Preview]: [Preview]: New Zealand ISM Restricted v3.5 This initiative includes policies that address a subset of New Zealand Information Security Manual v3.5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. 183 1.0.0-preview
[Preview]: [Preview]: Reserve Bank of India - IT Framework for NBFC This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfnbfc-initiative. 150 1.0.0-preview
[Preview]: [Preview]: RMIT Malaysia This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative. 227 8.0.0-preview
[Preview]: [Preview]: SWIFT CSP-CSCF v2020 This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init. 60 5.0.0-preview
[Preview]: [Preview]: SWIFT CSP-CSCF v2021 This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init. 144 3.0.0-preview
Canada Federal PBMM This initiative includes policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/canadafederalpbmm-init. 58 7.0.0
CIS Microsoft Azure Foundations Benchmark v1.1.0 This initiative includes policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cisazure110-initiative. 94 14.0.0
CIS Microsoft Azure Foundations Benchmark v1.3.0 This initiative includes policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cisazure130-initiative. 99 6.1.0
CMMC Level 3 This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative. 177 10.0.0
FedRAMP High This initiative includes policies that address a subset of FedRAMP High controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/fedramph-initiative. 255 15.0.0
FedRAMP Moderate This initiative includes policies that address a subset of FedRAMP Moderate controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/fedrampm-initiative. 255 15.0.0
HITRUST/HIPAA This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-init. 118 12.0.0
IRS1075 September 2016 This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-init. 61 7.0.0
ISO 27001:2013 This initiative includes policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init. 50 7.0.0
New Zealand ISM Restricted This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. 142 10.0.0
NIST SP 800-171 Rev. 2 This initiative includes policies that address a subset of NIST SP 800-171 Rev. 2 requirements. Policies may be added or removed in future releases. For more information, visit https://aka.ms/nist800171r2-initiative. 257 13.0.0
NIST SP 800-53 Rev. 4 This initiative includes policies that address a subset of NIST SP 800-53 Rev. 4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative. 984 15.0.0
NIST SP 800-53 Rev. 5 This initiative includes policies that address a subset of NIST SP 800-53 Rev. 5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative. 965 12.0.0
PCI v3.2.1:2018 This initiative includes policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/pciv321-init. 36 6.0.0
UK OFFICIAL and UK NHS This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/ukofficial-init and https://aka.ms/uknhs-init. 58 8.0.0

SDN

Name Description Policies Version
Audit Public Network Access Initiative Audit Azure resources that allow access from the public internet 13 1.0.0

Security Center

Name Description Policies Version
[Preview]: [Preview]: Configure virtual and Arc-enabled machines to create the default Microsoft Defender for Cloud pipeline Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for Cloud collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target machines must be in a supported location. 13 1.0.0-preview
[Preview]: [Preview]: Configure virtual and Arc-enabled machines to create the user-defined Microsoft Defender for Cloud pipeline Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for Cloud collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target machines must be in a supported location. 13 1.0.0-preview
[Preview]: [Preview]: Deploy Microsoft Defender for Endpoint agent Deploy Microsoft Defender for Endpoint agent on applicable images. 4 1.0.0-preview
Azure Security Benchmark The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. 204 50.0.0
Configure Advanced Threat Protection to be enabled on open-source relational databases Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. 3 1.0.0
Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. 2 2.0.0

Trusted Launch

Name Description Policies Version
[Preview]: [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs Configure the Trusted Launch enabled virtual machines to automatically install the Guest Attestation extension and enable system-assigned managed identity to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. For more details, please refer to the following link - https://aka.ms/trustedlaunch 7 3.0.0-preview

Next steps