Azure Policy built-in policy definitions

This page is an index of Azure Policy built-in policy definitions.

The name of each built-in links to the policy definition in Azure portal. Use the link in the Source column to view the source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To jump to a specific category, use the menu on the right side of the page. Otherwise, use Ctrl-F to use your browser's search feature.

App Configuration

Name Description Effect(s) Version GitHub
App Configuration should use a customer managed key This policy audits any App Configuration instance that does not use a customer managed key. Audit, Disabled 1.0.0 Link
App Configuration should use a private link This policy audits any App Configuration instance that does not use a private link. AuditIfNotExists, Disabled 1.0.0 Link

App Platform

Name Description Effect(s) Version GitHub
Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Audit, Disabled 1.0.0-preview Link

App Service

Name Description Effect(s) Version GitHub
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0 Link
Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app AuditIfNotExists, Disabled 1.0.0 Link
Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app AuditIfNotExists, Disabled 1.0.0 Link
Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app AuditIfNotExists, Disabled 1.0.0 Link
CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. AuditIfNotExists, Disabled 1.0.0 Link
CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0 Link
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0 Link
Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists, Disabled 1.0.0 Link
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0 Link
Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0 Link
Ensure that '.NET Framework' version is the latest, if used as a part of the API app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that '.NET Framework' version is the latest, if used as a part of the Function App Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that '.NET Framework' version is the latest, if used as a part of the Web app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'HTTP Version' is the latest, if used to run the Api app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'HTTP Version' is the latest, if used to run the Web app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'Java version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.1 Link
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'PHP version' is the latest, if used as a part of the Api app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'PHP version' is the latest, if used as a part of the Function app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'Python version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0 Link
Ensure that Register with Azure Active Directory is enabled on API app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0 Link
Ensure that Register with Azure Active Directory is enabled on Function App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0 Link
Ensure that Register with Azure Active Directory is enabled on WEB App Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0 Link
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0 Link
FTPS only should be required in your API App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0 Link
FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0 Link
FTPS should be required in your Web App Enable FTPS enforcement for enhanced security AuditIfNotExists, Disabled 1.0.0 Link
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0 Link
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0 Link
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0 Link
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0 Link
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0 Link
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0 Link
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0 Link
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0 Link
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0 Link
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0 Link
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0 Link

Automation

Name Description Effect(s) Version GitHub
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Disabled 1.0.0 Link

Backup

Name Description Effect(s) Version GitHub
Azure Backup should be enabled for Virtual Machines This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. AuditIfNotExists, Disabled 1.0.0 Link
Configure backup on VMs of a location to an existing central Vault in the same location This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. This policy will be enhanced to support more VM images. deployIfNotExists, auditIfNotExists, disabled 1.0.0 Link

Batch

Name Description Effect(s) Version GitHub
Diagnostic logs in Batch accounts should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link
Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists, Disabled 1.0.0 Link

Cache

Name Description Effect(s) Version GitHub
Only secure connections to your Redis Cache should be enabled Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0 Link

Compute

Name Description Effect(s) Version GitHub
Allowed virtual machine SKUs This policy enables you to specify a set of virtual machine SKUs that your organization can deploy. Deny 1.0.0 Link
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0 Link
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0 Link
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExists 1.0.0 Link
Diagnostic logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 1.0.0 Link
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0 Link
Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists, Disabled 1.0.0 Link
Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Audit, Deny, Disabled 1.0.0 Link
Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. deny 1.0.0 Link
Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Audit, Disabled 1.0.0 Link
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0 Link

Container Registry

Name Description Effect(s) Version GitHub
Container Registries should be encrypted with a Customer-Managed Key (CMK) Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Audit, Disabled 1.0.0-preview Link
Container Registries should not allow unrestricted network access Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. Audit, Disabled 1.0.0-preview Link

Cosmos DB

Name Description Effect(s) Version GitHub
Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. DeployIfNotExists, Disabled 1.0.0 Link

Custom Provider

Name Description Effect(s) Version GitHub
Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0 Link

Data Lake

Name Description Effect(s) Version GitHub
Diagnostic logs in Azure Data Lake Store should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link
Diagnostic logs in Data Lake Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts deny 1.0.0 Link

Event Hub

Name Description Effect(s) Version GitHub
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, Disabled 1.0.1 Link
Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access AuditIfNotExists, Disabled 1.0.0 Link
Diagnostic logs in Event Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

General

Name Description Effect(s) Version GitHub
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. deny 1.0.0 Link
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0 Link
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. deny 1.0.0 Link
Audit resource location matches resource group location Audit that the resource location matches its resource group location audit 1.0.0 Link
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0 Link
Custom subscription owner roles should not exist This policy ensures that no custom subscription owner roles exist. Audit, Disabled 1.0.0 Link
Not allowed resource types This policy enables you to specify the resource types that your organization cannot deploy. Deny 1.0.0 Link

Guest Configuration

Name Description Effect(s) Version GitHub
Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0-preview Link
Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0-preview Link
Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0 Link
Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0-preview Link
Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.1.0 Link
Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.1-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0-preview Link
Deploy prerequisites to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.0.0 Link
Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. deployIfNotExists 1.1.0 Link
Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. deployIfNotExists 1.0.0 Link
Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.1.0-preview Link
Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.1.0-preview Link
Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.1.0 Link
Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.1.0-preview Link
Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.1.0 Link
Show audit results from Windows Server VMs on which Windows Serial Console is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.1-preview Link
Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs in which the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs in which the Administrators group does not contain only the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs on which the remote host connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs on which the specified services are not installed and 'Running' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that are not joined to the specified domain This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs that are not set to the specified time zone This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0-preview Link
Show audit results from Windows VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows VMs with a pending reboot This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link
Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0 Link

Internet of Things

Name Description Effect(s) Version GitHub
Diagnostic logs in IoT Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

Key Vault

Name Description Effect(s) Version GitHub
Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. deployIfNotExists 2.0.0 Link
Diagnostic logs in Key Vault should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 1.0.0 Link
Key Vault objects should be recoverable This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, Disabled 1.0.0 Link
Manage allowed certificate key types This policy manages the allowed key types for certificates. audit, deny, disabled 1.0.0-preview Link
Manage allowed curve names for elliptic curve cryptography certificates This policy manages the allowed elliptic curve names for elliptic curve cryptography certificates. audit, deny, disabled 1.0.0-preview Link
Manage certificate lifetime action triggers This policy manages the configuration for certificate lifetime action triggers before certificate expiration. audit, deny, disabled 1.0.0-preview Link
Manage certificate validity period This policy manages the maximum validity period for certificates in months. audit, deny, disabled 1.0.0-preview Link
Manage certificates issued by a non-integrated CA This policy manages certificates are issued by a specified non-integrated Certificate Authority. audit, deny, disabled 1.0.0-preview Link
Manage certificates issued by an integrated CA This policy manages certificates are issued by a specified key vault integrated Certificate Authority. audit, deny, disabled 1.0.0-preview Link
Manage certificates that are within a specified number of days of expiration This policy manages certificates that are within a specified number of days to their expiration date. audit, deny, disabled 1.0.0-preview Link
Manage minimum key size for RSA certificates This policy manages the minimum key size for RSA certificates. audit, deny, disabled 1.0.0-preview Link

Kubernetes

Name Description Effect(s) Version GitHub
[Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link
[Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. enforceOPAConstraint, disabled 2.0.0-preview Link

Kubernetes service

Name Description Effect(s) Version GitHub
[Limited Preview]: [AKS] Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link
[Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. Limited Preview policies only work for registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, please go to https://aka.ms/akspolicydoc. EnforceRegoPolicy, Disabled 1.0.0-preview Link

Lighthouse

Name Description Effect(s) Version GitHub
Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Audit, Disabled 1.0.0 Link

Logic Apps

Name Description Effect(s) Version GitHub
Diagnostic logs in Logic Apps should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

Managed Application

Name Description Effect(s) Version GitHub
Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0 Link

Monitoring

Name Description Effect(s) Version GitHub
[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.0-preview Link
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0 Link
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0 Link
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0 Link
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0 Link
Audit Dependency agent deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.1 Link
Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.1 Link
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0 Link
Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.1 Link
Audit Log Analytics workspace for VM - Report Mismatch Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. audit 1.0.1 Link
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0 Link
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 1.0.0 Link
Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. AuditIfNotExists, Disabled 1.0.0 Link
Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists, Disabled 1.0.0 Link
Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 1.0.1 Link
Deploy Dependency agent for Linux VMs Deploy Dependency agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExists 1.0.1 Link
Deploy Dependency agent for Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 1.0.1 Link
Deploy Dependency agent for Windows VMs Deploy Dependency agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. deployIfNotExists 1.0.1 Link
Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Logic Apps to Event Hub Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 1.0.0 Link
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. deployIfNotExists 1.0.0-preview Link
Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Service Bus to Event Hub Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0 Link
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0 Link
Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 1.0.1 Link
Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExists 1.0.1 Link
Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 1.0.1 Link
Deploy Log Analytics agent for Windows VMs Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. deployIfNotExists 1.0.1 Link
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.0-preview Link
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.0-preview Link
Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. AuditIfNotExists, Disabled 1.0.0 Link
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0 Link
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0 Link

Network

Name Description Effect(s) Version GitHub
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 Audit, Disabled 1.0.0 Link
App Service should use a virtual network service endpoint This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
Azure VPN gateways should not use 'basic' SKU This policy ensures that VPN gateways do not use 'basic' SKU. Audit, Disabled 1.0.0 Link
Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview Link
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0 Link
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0 Link
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0 Link
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0 Link
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. deny 1.0.0 Link
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. deny 1.0.0 Link
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0 Link
RDP access from the Internet should be blocked This policy audits any network security rule that allows RDP access from Internet Audit, Disabled 2.0.0 Link
Service Bus should use a virtual network service endpoint This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
SSH access from the Internet should be blocked This policy audits any network security rule that allows SSH access from Internet Audit, Disabled 2.0.0 Link
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0 Link
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0 Link
Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists, Disabled 1.0.0 Link
Name Description Effect(s) Version GitHub
Diagnostic logs in Search services should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

Security Center

Name Description Effect(s) Version GitHub
[Preview] Vulnerability Assessment should be enabled on Virtual Machines Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment on Virtual Machines AuditIfNotExists, Disabled 1.0.0-preview Link
[Preview]: Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 1.0.0-preview Link
[Preview]: IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 1.0.0-preview Link
[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit, Disabled 1.0.0-preview Link
[Preview]: Pod Security Policies should be defined on Kubernetes Services Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit, Disabled 1.0.0-preview Link
[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.0-preview Link
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 1.0.0 Link
A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0 Link
A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0 Link
Access through Internet facing endpoint should be restricted Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources. AuditIfNotExists, Disabled 1.0.0 Link
Adaptive Application Controls should be enabled on virtual machines Possible Application Whitelist configuration will be monitored by Azure Security Center AuditIfNotExists, Disabled 1.0.0 Link
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0 Link
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists, Disabled 1.0.0 Link
DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 1.0.0 Link
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0 Link
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0 Link
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0 Link
Email notification for high severity alerts should be enabled Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists, Disabled 1.0.0 Link
Email notification to subscription owner for high severity alerts should be enabled Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists, Disabled 1.0.0 Link
Enable Azure Security Center on your subscription Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExists 1.0.0 Link
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 1.0.0 Link
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0 Link
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0 Link
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0 Link
Internet-facing virtual machines should be protected with Network Security Groups Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). To learn more about controlling traffic with NSGs, visit https://aka.ms/nsg-doc AuditIfNotExists, Disabled 1.0.0 Link
Just-In-Time network access control should be applied on virtual machines Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0 Link
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 1.0.0 Link
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0 Link
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0 Link
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0 Link
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0 Link
Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit, Disabled 1.0.0 Link
Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists, Disabled 1.0.0-preview Link
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 1.0.0 Link
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 1.0.0 Link
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0 Link
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0 Link
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists, Disabled 1.0.0 Link

Service Bus

Name Description Effect(s) Version GitHub
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, Disabled 1.0.1 Link
Diagnostic logs in Service Bus should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

Service Fabric

Name Description Effect(s) Version GitHub
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Disabled 1.0.0 Link
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Disabled 1.0.0 Link

SQL

Name Description Effect(s) Version GitHub
Advanced data security settings for SQL managed instance should contain an email address to receive security alerts Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL managed instances. AuditIfNotExists, Disabled 1.0.0 Link
Advanced data security settings for SQL server should contain an email address to receive security alerts Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. AuditIfNotExists, Disabled 1.0.0 Link
Advanced data security should be enabled on your SQL managed instances Audit SQL managed instances without Advanced Data Security AuditIfNotExists, Disabled 1.0.0 Link
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0 Link
Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists, Disabled 1.0.0 Link
Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists, Disabled 1.0.0 Link
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0 Link
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0 Link
Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0 Link
Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExists 1.0.0 Link
Deploy Auditing on SQL servers This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records. DeployIfNotExists 1.0.0 Link
Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExists 1.0.0 Link
Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases DeployIfNotExists 1.0.0 Link
Deploy Threat Detection on SQL servers This policy ensures that Threat Detection is enabled on SQL Servers. DeployIfNotExists 1.0.0 Link
Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.0 Link
Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported as soon as possible to the admins. AuditIfNotExists, Disabled 1.0.0 Link
Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. AuditIfNotExists, Disabled 1.0.0 Link
Enforce SSL connection should be enabled for MySQL database servers This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. Audit, Disabled 1.0.0 Link
Enforce SSL connection should be enabled for PostgreSQL database servers This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application Audit, Disabled 1.0.0 Link
Geo-redundant backup should be enabled for Azure Database for MariaDB This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Audit, Disabled 1.0.0 Link
Geo-redundant backup should be enabled for Azure Database for MySQL This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0 Link
Geo-redundant backup should be enabled for Azure Database for PostgreSQL This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Audit, Disabled 1.0.0 Link
Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0 Link
Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0 Link
Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists, Disabled 1.0.0 Link
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 1.0.0 Link
MariaDB server should use a virtual network service endpoint This policy helps audit any MariaDB server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
MySQL server should use a virtual network service endpoint This policy helps audit any MySQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
PostgreSQL server should use a virtual network service endpoint This policy helps audit any PostgreSQL server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0 Link
Private endpoint should be enabled for MariaDB servers This policy helps audit any MariaDB server not configured to use a private endpoint. AuditIfNotExists, Disabled 1.0.0 Link
Private endpoint should be enabled for MySQL servers This policy helps audit any MySQL server not configured to use a private endpoint. AuditIfNotExists, Disabled 1.0.0 Link
Private endpoint should be enabled for PostgreSQL servers This policy helps audit any PostgreSQL server not configured to use a private endpoint. AuditIfNotExists, Disabled 1.0.0 Link
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists, Disabled 1.0.0 Link
SQL managed instance TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.0 Link
SQL server TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists, Disabled 1.0.0 Link
SQL servers should be configured with auditing retention days greater than 90 days. Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists, Disabled 1.0.0 Link
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 1.0.0 Link
Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerability assessment should be enabled on your SQL managed instances Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.0 Link
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.0 Link

Storage

Name Description Effect(s) Version GitHub
Allowed storage account SKUs This policy enables you to specify a set of storage account SKUs that your organization can deploy. Deny 1.0.0 Link
Audit unrestricted network access to storage accounts Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Disabled 1.0.0 Link
Deploy Advanced Threat Protection on Storage Accounts This policy enables Advanced Threat Protection on Storage Accounts. DeployIfNotExists, Disabled 1.0.0 Link
Geo-redundant storage should be enabled for Storage Accounts This policy audits any Storage Account with geo-redundant storage not enabled. Audit, Disabled 1.0.0 Link
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.1 Link
Storage accounts should allow access from trusted Microsoft services Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. Audit, Deny, Disabled 1.0.0 Link
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0 Link

Stream Analytics

Name Description Effect(s) Version GitHub
Diagnostic logs in Azure Stream Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 2.0.0 Link

Tags

Name Description Effect(s) Version GitHub
Add a tag to resource groups Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0 Link
Add a tag to resources Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. modify 1.0.0 Link
Add or replace a tag on resource groups Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. modify 1.0.0 Link
Add or replace a tag on resources Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. modify 1.0.0 Link
Append a tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0 Link
Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0 Link
Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.1 Link
Inherit a tag from the resource group Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0 Link
Inherit a tag from the resource group if missing Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0 Link
Inherit a tag from the subscription Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. modify 1.0.0 Link
Inherit a tag from the subscription if missing Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0 Link
Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. deny 1.0.0 Link
Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. deny 1.0.1 Link
Require a tag on resource groups Enforces existence of a tag on resource groups. deny 1.0.0 Link
Require a tag on resources Enforces existence of a tag. Does not apply to resource groups. deny 1.0.1 Link

Next steps