Azure Policy built-in policy definitions

This page is an index of Azure Policy built-in policy definitions.

The name of each built-in links to the policy definition in the Azure portal. Use the link in the Source column to view the source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To jump to a specific category, use the menu on the right side of the page. Otherwise, use Ctrl-F to use your browser's search feature.

API for FHIR

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. audit, disabled 1.0.1
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. audit, disabled 1.0.0

API Management

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Audit, Deny, Disabled 1.0.0
API Management services should disable public network access To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. AuditIfNotExists, Disabled 1.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
Configure API Management services to disable public network access To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. DeployIfNotExists, Disabled 1.0.0

App Configuration

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Audit, Deny, Disabled 1.0.0
App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Audit, Deny, Disabled 1.1.0
App Configuration should use a SKU that supports private link When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Audit, Deny, Disabled 1.0.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Audit, Deny, Disabled 1.0.0
Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Modify, Disabled 1.0.0
Configure App Configuration to disable public network access Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Modify, Disabled 1.0.0
Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure private endpoints for App Configuration Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. DeployIfNotExists, Disabled 1.0.0

App Platform

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Audit, Disabled 1.0.0-preview
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.0.0

App Service

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
API apps should use an Azure file share for its content directory The content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 1.0.0
App Service Apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Audit, Deny, Disabled 1.0.0
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. AuditIfNotExists, Disabled 1.0.0
App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Audit, Deny, Disabled 1.0.0
App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Audit, Deny, Disabled 1.0.0
App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Audit, Disabled 1.0.0
App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Audit, Deny, Disabled 1.0.0
App Service Environment should disable TLS 1.0 and 1.1 TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Audit, Deny, Disabled 2.0.0
App Service Environment should enable internal encryption Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.0
App Service should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.0
App Service should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.0
App Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. AuditIfNotExists, Disabled 1.0.0
App Service slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.0
App Service slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.0
App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. AuditIfNotExists, Disabled 1.0.0
Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app AuditIfNotExists, Disabled 1.0.0
Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app AuditIfNotExists, Disabled 1.0.0
Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app AuditIfNotExists, Disabled 1.0.0
Configure App Service slots to disable local authentication for FTP deployments. Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.0
Configure App Service slots to disable local authentication for SCM sites. Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.0
Configure App Service to disable local authentication for SCM sites. Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.0
Configure App Service to disable local authentication on FTP deployments. Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.0
Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure App Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. DeployIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0
Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists, Disabled 2.0.0
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Web app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.0.0
Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.1.0
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 2.1.0
Ensure that 'Python version' is the latest, if used as a part of the API app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. AuditIfNotExists, Disabled 3.0.0
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
FTPS only should be required in your API App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
FTPS should be required in your Web App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 2.0.0
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Audit, Disabled 1.0.1
Function apps should use an Azure file share for its content directory The content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 1.0.0
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Resource logs in App Services should be enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 1.0.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Web apps should use an Azure file share for its content directory The content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 1.0.0

Attestation

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Attestation providers should use private endpoints Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. AuditIfNotExists, Disabled 1.0.0

Automanage

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. DeployIfNotExists, Disabled 4.1.0

Automation

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Audit, Deny, Disabled 1.0.0
Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Audit, Deny, Disabled 1.0.0
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/automation-cmk](../../../../articles/automation/automation-secure-asset-encryption.md#:~:text=Secure assets in Azure Automation include credentials, certificates, connections,,Using Microsoft-managed keys). Audit, Deny, Disabled 1.0.0
Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Modify, Disabled 1.0.0
Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure private endpoint connections on Azure Automation accounts Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. DeployIfNotExists, Disabled 1.0.0
Private endpoint connections on Automation Accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security AuditIfNotExists, Disabled 1.0.0

Azure Active Directory

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Audit, Deny, Disabled 1.1.0

Azure Data Explorer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Audit, Deny, Disabled 1.0.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Audit, Deny, Disabled 1.0.0

Azure Edge Hardware Center

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0

Azure Stack Edge

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, deny, disabled 1.0.0

Backup

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 2.0.0
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Audit, Disabled 2.0.0-preview
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. deployIfNotExists, auditIfNotExists, disabled 3.0.0
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. deployIfNotExists, auditIfNotExists, disabled 3.0.0
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. deployIfNotExists, auditIfNotExists, disabled 3.0.0
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. deployIfNotExists, auditIfNotExists, disabled 3.0.0
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. DeployIfNotExists, Disabled 1.0.1-preview
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. deployIfNotExists 1.0.2

Batch

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Audit, Deny, Disabled 1.0.1
Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Audit, Disabled, Deny 1.0.0
Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Audit, Deny, Disabled 1.0.0
Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Modify, Disabled 1.0.0
Configure Batch accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. DeployIfNotExists, Disabled 1.0.0
Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists, Disabled 1.0.0
Private endpoint connections on Batch accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. AuditIfNotExists, Disabled 1.0.0
Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Audit, Deny, Disabled 1.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Bot Service

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. audit, deny, disabled 1.0.1
Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. audit, deny, disabled 1.0.0
Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. audit, deny, disabled 1.0.0
Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Audit, Deny, Disabled 1.0.0
BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Audit, Disabled 1.0.0
Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. DeployIfNotExists, Disabled 1.0.0

Cache

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Audit, Deny, Disabled 1.0.0
Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit, Deny, Disabled 1.0.3
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis to disable public network access Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Modify, Disabled 1.0.0
Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. DeployIfNotExists, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0

Cognitive Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Audit, Deny, Disabled 2.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Modify, Disabled 1.0.0
Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Disabled, Modify 2.0.0
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. DeployIfNotExists, Disabled 1.0.0
Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. DeployIfNotExists, Disabled 2.0.0

Compute

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Deny 1.0.1
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Configure disaster recovery on virtual machines by enabling replication Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc. DeployIfNotExists, Disabled 1.2.0
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. DeployIfNotExists, Disabled 1.0.0
Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. DeployIfNotExists, Disabled 1.0.0
Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Modify, Disabled 1.0.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExists 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Audit, Deny, Disabled 1.0.0
Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Audit, Disabled 1.0.0
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 2.0.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists, Disabled 1.0.0
Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Audit, Deny, Disabled 1.0.0
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 2.0.0
Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. deny 1.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.0.1
Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Audit, Disabled 1.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Container Instance

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Audit, Disabled, Deny 1.0.0
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled, Deny 1.0.0

Container Registry

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure container registries to disable local authentication. Disable local authentication so that your container registries exclusively require Azure Active Directory identities for authentication. Learn more about at: https://aka.ms/acr/authentication. Modify, Disabled 1.0.0
Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Modify, Disabled 1.0.0
Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. DeployIfNotExists, Disabled 1.0.0
Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. DeployIfNotExists, Disabled 1.0.0
Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Audit, Deny, Disabled 1.1.2
Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Audit, Deny, Disabled 1.0.0
Container registries should have local authentication methods disabled. Disabling local authentication methods improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Audit, Deny, Disabled 1.0.0
Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Audit, Deny, Disabled 1.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit, Deny, Disabled 1.1.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Audit, Deny, Disabled 1.0.0

Cosmos DB

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. audit, deny, disabled 1.0.2
Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. [parameters('policyEffect')] 1.0.0
Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. append 1.0.0
Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Audit, Deny, Disabled 1.0.0
Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. audit, deny, disabled 1.0.0
Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Modify, Disabled 1.0.0
Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Modify, Disabled 1.0.0
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Audit, Deny, Disabled 1.0.0
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. DeployIfNotExists, Disabled 1.0.0

Custom Provider

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0

Data Box

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Audit, Deny, Disabled 1.0.0

Data Factory

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Audit, Deny, Disabled 1.0.1
[Preview]: Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Data Factory should use a Git repository for source control Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Audit, Deny, Disabled 1.0.0-preview
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Modify, Disabled 1.0.0
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. DeployIfNotExists, Disabled 1.0.0
Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. DeployIfNotExists, Disabled 1.0.0
Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Audit, Deny, Disabled 1.0.0
SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Audit, Deny, Disabled 2.0.0

Data Lake

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts deny 1.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Event Grid

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Audit, Deny, Disabled 1.0.0
Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. deployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure Event Grid domains with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. deployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure Event Grid topics with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. DeployIfNotExists, Disabled 1.0.0
Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0
Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0

Event Hub

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, Disabled 1.0.1
Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access AuditIfNotExists, Disabled 1.0.0
Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. DeployIfNotExists, Disabled 1.0.0
Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. DeployIfNotExists, Disabled 1.0.0
Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 1.0.0
Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Audit, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

General

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. deny 1.0.0
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. deny 1.0.0
Audit resource location matches resource group location Audit that the resource location matches its resource group location audit 2.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Custom subscription owner roles should not exist This policy ensures that no custom subscription owner roles exist. Audit, Disabled 2.0.0
Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Audit, Deny, Disabled 2.0.0

Guest Configuration

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.0.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.0.0
Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. auditIfNotExists 3.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 1.0.0
Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. auditIfNotExists 3.0.0
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. auditIfNotExists 1.0.0
Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. auditIfNotExists 1.0.0
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. auditIfNotExists 1.0.0
Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. auditIfNotExists 1.0.1
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExists 1.0.0
Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExists 1.0.0
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 1.0.0
Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. auditIfNotExists 1.0.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 2.0.1
Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. deployIfNotExists 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
[Preview]: Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.1.1-preview
Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. AuditIfNotExists, Disabled 1.0.0
Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Audit, Deny, Disabled 1.0.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 1.1.1
Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 2.0.0
[Preview]: Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.0.1-preview
Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. AuditIfNotExists, Disabled 1.0.0
Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. AuditIfNotExists, Disabled 3.0.0

HDInsight

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure HDInsight clusters should be injected into a virtual network Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. Audit, Disabled, Deny 1.0.0
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Audit, Deny, Disabled 1.0.0
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0

Healthcare APIs

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. audit, disabled 1.0.0

Internet of Things

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure IoT Hub should have local authentication methods disabled for Service Apis Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Audit, Deny, Disabled 1.0.0
[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. Audit, Deny, Disabled 1.0.0-preview
Configure Azure IoT Hub to disable local authentication Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Modify, Disabled 1.0.0
Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. DeployIfNotExists, Disabled 1.0.0
Configure IoT Hub device provisioning service instances to disable public network access Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. Modify, Disabled 1.0.0
Configure IoT Hub device provisioning service instances with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. deployIfNotExists, disabled 1.0.0
Deploy - Configure Azure IoT Hubs with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. DeployIfNotExists, Disabled 1.0.0
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Audit, Deny, Disabled 1.0.0-preview
IoT Hub device provisioning service instances should disable public network access Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. Audit, Deny, Disabled 1.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Modify - Configure Azure IoT Hubs to disable public network access Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Modify, Disabled 1.0.0
Private endpoint should be enabled for IoT Hub Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Audit, Disabled 1.0.0
Public network access on Azure IoT Hub should be disabled Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. Audit, Deny, Disabled 1.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.1

Key Vault

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Audit, Deny, Disabled 1.0.0-preview
Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Audit, Deny, Disabled 1.0.0
[Preview]: Azure Key Vault Managed HSM should use private link Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Audit, Disabled 1.0.0-preview
[Preview]: Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 2.0.0-preview
[Preview]: Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 1.0.0-preview
Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. audit, deny, disabled 2.0.1
Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. audit, deny, disabled 2.0.1
Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. audit, deny, disabled 2.0.1
[Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. audit, deny, disabled 2.1.0-preview
Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. audit, deny, disabled 2.0.1
Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. audit, deny, disabled 2.0.1
Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. audit, deny, disabled 2.0.1
Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. audit, deny, disabled 2.0.1
[Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Modify, Disabled 1.0.0-preview
[Preview]: Configure Azure Key Vault Managed HSM with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure key vaults to disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Modify, Disabled 1.0.0-preview
Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.1
Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. deployIfNotExists 2.0.0
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Key vaults should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Audit, Deny, Disabled 2.0.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 2.0.0
Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Audit, Deny, Disabled 1.0.1
Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Audit, Deny, Disabled 1.0.1
Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Audit, Deny, Disabled 1.0.1
Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Audit, Deny, Disabled 1.0.1
Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Audit, Deny, Disabled 1.0.1
Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Audit, Deny, Disabled 1.0.1
Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Audit, Deny, Disabled 1.0.1
[Preview]: Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. AuditIfNotExists, Disabled 1.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Audit, Deny, Disabled 1.0.1
Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Audit, Deny, Disabled 1.0.1
Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Audit, Deny, Disabled 1.0.1
Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Audit, Deny, Disabled 1.0.1

Kubernetes

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Azure Kubernetes Service clusters should have Azure Defender profile enabled Azure Defender for Kubernetes provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about Azure Defender for Kubernetes in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction
Audit, Disabled 1.0.0-preview
Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Audit, Deny, Disabled 1.0.0
Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.0
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extension Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. DeployIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure Azure Kubernetes Service clusters to enable Azure Defender profile Azure Defender for Kubernetes provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection.
When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data.
Learn more about Azure Defender for Kubernetes: https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction.
DeployIfNotExists, Disabled 1.0.0-preview
Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. deployIfNotExists, auditIfNotExists, disabled 1.0.0
Configure Kubernetes clusters with specified GitOps configuration using no secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. deployIfNotExists, auditIfNotExists, disabled 1.0.0
Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. deployIfNotExists, auditIfNotExists, disabled 1.0.0
Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. DeployIfNotExists, Disabled 1.0.0
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. deployIfNotExists 2.0.0
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 7.0.0
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1
Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 6.1.1
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 7.0.0
Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 5.0.1
Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.2
Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 6.0.0
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 6.1.1
Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 7.0.0
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, deny, disabled 6.0.0
[Preview]: Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 2.0.1-preview
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.0
Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Audit, Disabled 1.0.0
[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1-preview
[Preview]: Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 3.0.1-preview
[Preview]: Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 2.1.1-preview
Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. audit, deny, disabled 6.0.0
Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed AuditIfNotExists, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.0

Lighthouse

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allow managing tenant ids to onboard through Azure Lighthouse Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. deny 1.0.1
Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Audit, Disabled 1.0.0

Logic Apps

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.0.0
Logic Apps should be deployed into Integration Service Environment Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. Audit, Deny, Disabled 1.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Machine Learning

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Audit, Deny, Disabled 1.0.3
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Machine Learning workspaces should use user-assigned managed identity Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. Audit, Deny, Disabled 1.0.0
[Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.0.0-preview
[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.0.0-preview
[Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.0.0-preview
[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.0.0-preview
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. DeployIfNotExists, Disabled 1.0.0
Configure Azure Machine Learning workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. DeployIfNotExists, Disabled 1.0.0
[Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.1.0-preview
[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. enforceSetting, disabled 3.0.0-preview
Configure Machine Learning computes to disable local authentication methods Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Modify, Disabled 1.0.0
Machine Learning computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Audit, Deny, Disabled 1.0.0

Managed Application

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. audit, deny, disabled 1.0.0
Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0

Media Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Media Services accounts should disable public network access Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts should use an API that supports Private Link Media Services accounts should be created with an API that supports private link. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts that allow access to the legacy v2 API should be blocked The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. Audit, Deny, Disabled 1.0.0
Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory. Audit, Deny, Disabled 1.0.0
Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Deny, Disabled 1.0.1
Azure Media Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. AuditIfNotExists, Disabled 1.0.0
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0
Configure Azure Media Services with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0

Migrate

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0

Monitoring

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: [ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs [ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Modify, Disabled 3.0.0-preview
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 3.0.0
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Application Insights components should block log ingestion and querying from public networks Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. audit, deny, disabled 1.0.0
Application Insights components should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Deny, Audit, Disabled 1.0.0
Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage Deny, Audit, Disabled 1.0.0
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Audit, Disabled, Deny 1.0.0
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, deny, disabled 1.0.0
Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, deny, disabled 1.0.0
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, deny, disabled 1.0.0
Azure Monitor Private Link Scope should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. AuditIfNotExists, Disabled 1.0.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 2.0.0
Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. AuditIfNotExists, Disabled 1.0.0
Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists, Disabled 1.0.0
Configure Association to link Linux virtual machines to Data Collection Rule Deploy Association to link Linux virtual machine to specified Data Collection Rule. The list of OS images is updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0
Configure Association to link Windows virtual machines to Data Collection Rule Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of OS images is updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0
Configure Azure Activity logs to stream to specified Log Analytics workspace Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events DeployIfNotExists, Disabled 1.0.0
Configure Azure Application Insights components to disable public network access for log ingestion and querying Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Modify, Disabled 1.1.0
Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Modify, Disabled 1.1.0
Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure Azure Monitor Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. DeployIfNotExists, Disabled 1.0.0
Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.0.0
Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.0.0
Configure Linux virtual machines with Azure Monitor Agent Deploy Azure Monitor Agent for Linux virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0
Configure Log Analytics agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.0.0
Configure Log Analytics agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.0.0
Configure Log Analytics workspace and automation account to centralize logs and monitoring Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Configure Windows virtual machines with Azure Monitor Agent Deploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. DeployIfNotExists, Disabled 2.0.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. DeployIfNotExists, Disabled 2.0.0
Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. DeployIfNotExists, Disabled 2.0.0
Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. DeployIfNotExists, Disabled 2.0.0
Deploy - Configure Log Analytics agent to be enabled on Windows virtual machines Deploy Log Analytics agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. DeployIfNotExists, Disabled 2.0.0
Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 1.3.0
Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExists 1.3.0
Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.1.0
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.1.0
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Logic Apps to Event Hub Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 1.0.0
Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Service Bus to Event Hub Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 2.0.0
Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExists 2.0.0
[Preview]: Log Analytics Agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0-preview
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0
[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics workspaces should block log ingestion and querying from public networks Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. audit, deny, disabled 1.0.0
Log Analytics Workspaces should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Deny, Audit, Disabled 1.0.0
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. AuditIfNotExists, DeployIfNotExists, Disabled 1.0.0
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal. audit, deny, disabled 1.0.0
Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
Virtual machines should be connected to a specified workspace Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. AuditIfNotExists, Disabled 1.1.0
Workbooks should be saved to storage accounts that you control With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos deny, audit, disabled 1.0.0

Network

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 Audit, Disabled 1.0.0
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
App Service should use a virtual network service endpoint This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Azure VPN gateways should not use 'basic' SKU This policy ensures that VPN gateways do not use 'basic' SKU. Audit, Disabled 1.0.0
Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.0.0
Configure network security groups to use specific workspace for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. DeployIfNotExists, Disabled 1.0.0
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. deployIfNotExists 1.0.0
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0
Flow logs should be enabled for every network security group Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. deny 1.0.0
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. deny 1.0.0
Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Audit, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
RDP access from the Internet should be blocked This policy audits any network security rule that allows RDP access from Internet Audit, Disabled 2.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
SSH access from the Internet should be blocked This policy audits any network security rule that allows SSH access from Internet Audit, Disabled 2.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0
Virtual networks should be protected by Azure DDoS Protection Standard Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. Modify, Audit, Disabled 1.0.0
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Audit, Deny, Disabled 1.0.0

Portal

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Shared dashboards should not have markdown tiles with inline content Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. Audit, Deny, Disabled 1.0.0
Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Configure Azure Cognitive Search services to disable public network access Disable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Modify, Disabled 1.0.0
Configure Azure Cognitive Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cognitive Search services with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Security Center

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
[Preview]: Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
[Preview]: Azure Security agent should be installed on your Linux Arc machines Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Security agent should be installed on your Linux virtual machines Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Security agent should be installed on your Windows Arc machines Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. AuditIfNotExists, Disabled 1.0.0-preview
Cloud Services (extended support) role instances should be configured securely Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Cloud Services (extended support) role instances should have an endpoint protection solution installed Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. AuditIfNotExists, Disabled 1.0.0
Cloud Services (extended support) role instances should have system updates installed Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. AuditIfNotExists, Disabled 1.0.0
Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for container registries to be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for DNS to be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Key Vaults to be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Kubernetes to be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. DeployIfNotExists, Disabled 1.0.0
[Preview]: Configure Azure Defender for SQL agent on virtual machine Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location. DeployIfNotExists, Disabled 1.0.0-preview
Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Storage to be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. DeployIfNotExists, Disabled 1.0.0
[Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. DeployIfNotExists, Disabled 1.1.0-preview
[Preview]: Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 2.2.0-preview
[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. DeployIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. DeployIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. DeployIfNotExists, Disabled 5.0.0-preview
[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. DeployIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure supported virtual machines to automatically enable vTPM Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. DeployIfNotExists, Disabled 4.0.0-preview
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. DeployIfNotExists, Disabled 1.0.0-preview
Deploy - Configure suppression rules for Azure Security Center alerts Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. deployIfNotExists 1.0.0
Deploy export to Event Hub for Azure Security Center data Enable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExists 4.0.0
Deploy export to Log Analytics workspace for Azure Security Center data Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExists 4.0.0
Deploy Workflow Automation for Azure Security Center alerts Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExists 4.0.0
Deploy Workflow Automation for Azure Security Center recommendations Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExists 4.0.0
Deploy Workflow Automation for Azure Security Center regulatory compliance Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExists 4.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Enable Azure Security Center on your subscription Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExists 1.0.0
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. DeployIfNotExists, Disabled 1.0.0
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. DeployIfNotExists, Disabled 1.0.0
Endpoint protection health issues should be resolved on your machines Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. AuditIfNotExists, Disabled 1.0.0
Endpoint protection should be installed on your machines To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. AuditIfNotExists, Disabled 1.0.0
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. AuditIfNotExists, Disabled 1.0.0-preview
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit, Disabled 1.0.2
[Preview]: Linux virtual machines should use Secure Boot To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Cloud Services (extended support) role instances Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 2.0.0
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.2
[Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. Audit, Disabled 1.0.0-preview
Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit, Disabled 1.0.0
[Preview]: Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists, Disabled 3.0.0-preview
Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists, Disabled 1.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 3.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0
[Preview]: Virtual machines guest attestation status should be healthy Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed. AuditIfNotExists, Disabled 1.0.0-preview
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage. and Different disk encryption offerings. AuditIfNotExists, Disabled 2.0.2
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1
[Preview]: vTPM should be enabled on supported virtual machines Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. Audit, Disabled 1.0.0-preview
Vulnerabilities in Azure Container Registry images should be remediated Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists, Disabled 2.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

Service Bus

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, Disabled 1.0.1
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Configure Service Bus namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. DeployIfNotExists, Disabled 1.0.0
Configure Service Bus namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. DeployIfNotExists, Disabled 1.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Service Bus namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 1.0.0
Service Bus Premium namespaces should use a customer-managed key for encryption Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. Audit, Disabled 1.0.0

Service Fabric

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

SignalR

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.0
Azure SignalR Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. Audit, Deny, Disabled 1.0.0
Azure SignalR Service should use a Private Link enabled SKU Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Configure Azure SignalR Service to disable local authentication Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. Modify, Disabled 1.0.0
Configure private endpoints to Azure SignalR Service Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink. DeployIfNotExists, Disabled 1.0.0
Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Modify, Disabled 1.0.0

Site Recovery

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure private endpoints on Azure Recovery Services vaults Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Recovery Services vaults should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink. Audit, Disabled 1.0.0-preview

SQL

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure SQL Database should have Azure Active Directory Only Authentication enabled Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. Audit, Deny, Disabled 1.0.0
Azure SQL Database should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Audit, Disabled 1.0.1
Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. Audit, Deny, Disabled 1.0.0
Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.0.0
Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.0.0
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.0.0
Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled windows server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role DeployIfNotExists, Disabled 1.0.1
Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 2.0.0
Configure Azure Defender to be enabled on SQL servers Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists 2.1.0
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated DeployIfNotExists, Disabled 1.0.2
Configure Azure SQL Server to disable public network access Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. Modify, Disabled 1.0.0
Configure Azure SQL Server to enable private endpoint connections A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. DeployIfNotExists, Disabled 1.0.0
Configure SQL servers to have auditing enabled To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. DeployIfNotExists, Disabled 3.0.0
Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.1
Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExists 1.2.0
Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExists 1.2.0
Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases DeployIfNotExists 2.0.0
Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Infrastructure encryption should be enabled for Azure Database for MySQL servers Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Audit, Deny, Disabled 1.0.0
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Audit, Deny, Disabled 1.0.0
Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0
Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0
Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
MariaDB server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
MySQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
MySQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. AuditIfNotExists, Disabled 1.0.4
PostgreSQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
PostgreSQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. AuditIfNotExists, Disabled 1.0.4
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 1.0.0
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 1.0.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists, Disabled 1.0.0
SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL Managed Instance should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Audit, Disabled 1.0.1
SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 1.0.1
[Preview]: SQL Managed instances should use customer-managed keys to encrypt data at rest Your SQL Managed instances are created using a customer-managed key for Transparent Data Encryption. Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 1.0.0-preview
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists, Disabled 1.0.2
[Preview]: SQL server should use customer-managed keys to encrypt data at rest Your Azure SQL Server are created using a customer-managed key for Transparent Data Encryption. Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 1.0.0-preview
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists, Disabled 2.0.1
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. AuditIfNotExists 1.0.0
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists, Disabled 2.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 2.0.0

Storage

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). DeployIfNotExists, Disabled 1.0.0
Configure Azure File Sync with private endpoints A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint. DeployIfNotExists, Disabled 1.0.0
Configure diagnostic settings for storage accounts to Log Analytics workspace Deploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.3.0
Configure Storage account to use a private link connection Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview DeployIfNotExists, Disabled 1.0.0
Deploy Advanced Threat Protection on storage accounts This policy enables Advanced Threat Protection on storage accounts. DeployIfNotExists, Disabled 1.0.0
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
HPC Cache accounts should use customer-managed key for encryption Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Disabled, Deny 2.0.0
Modify - Configure Azure File Sync to disable public network access The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). Modify, Disabled 1.0.0
Public network access should be disabled for Azure File Sync Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. Audit, Deny, Disabled 1.0.0
Storage account encryption scopes should use double encryption for data at rest Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. Audit, Deny, Disabled 1.0.0
Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Audit, Deny, Disabled 3.0.0
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, deny, disabled 3.0.1-preview
Storage accounts should allow access from trusted Microsoft services Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. Audit, Deny, Disabled 1.0.0
Storage accounts should be limited by allowed SKUs Restrict the set of storage account SKUs that your organization can deploy. Audit, Deny, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0
Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Audit, Deny, Disabled 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled 1.0.3
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0

Stream Analytics

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. audit, deny, disabled 1.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Synapse

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on Synapse workspace should be enabled Auditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log. AuditIfNotExists, Disabled 1.0.0
Azure Synapse workspaces should allow outbound data traffic only to approved targets Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. Audit, Disabled, Deny 1.0.0
Azure Synapse workspaces should disable public network access Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Audit, Deny, Disabled 1.0.0
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Audit, Deny, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Configure Azure Synapse workspaces to disable public network access Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Modify, Disabled 1.0.0
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure Azure Synapse workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. DeployIfNotExists, Disabled 1.0.0
Configure Synapse workspaces to have auditing enabled To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. DeployIfNotExists, Disabled 1.1.0
IP firewall rules on Azure Synapse workspaces should be removed Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. Audit, Disabled 1.0.0
Managed workspace virtual network on Azure Synapse workspaces should be enabled Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. Audit, Deny, Disabled 1.0.0
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. Audit, Disabled, Deny 1.0.0
Synapse workspace auditing settings should have action groups configured to capture critical activities To ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 1.0.0
Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 2.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Tags

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add a tag to resource groups Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Add a tag to resources Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. modify 1.0.0
Add a tag to subscriptions Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. modify 1.0.0
Add or replace a tag on resource groups Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. modify 1.0.0
Add or replace a tag on resources Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. modify 1.0.0
Add or replace a tag on subscriptions Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. modify 1.0.0
Append a tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0
Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0
Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.1
Inherit a tag from the resource group Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0
Inherit a tag from the resource group if missing Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Inherit a tag from the subscription Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0
Inherit a tag from the subscription if missing Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. deny 1.0.0
Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. deny 1.0.1
Require a tag on resource groups Enforces existence of a tag on resource groups. deny 1.0.0
Require a tag on resources Enforces existence of a tag. Does not apply to resource groups. deny 1.0.1

VM Image Builder

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Web PubSub

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Web PubSub Service should disable public network access Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. Audit, Deny, Disabled 1.0.0
Azure Web PubSub Service should use a SKU that supports private link With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Configure Azure Web PubSub Service to disable public network access Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. Modify, Disabled 1.0.0
Configure Azure Web PubSub Service to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. DeployIfNotExists, Disabled 1.0.0
Configure Azure Web PubSub Service with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. DeployIfNotExists, Disabled 1.0.0

Next steps