Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the IRS 1075 September 2016 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the IRS1075 September 2016 Regulatory Compliance built-in initiative definition.

This built-in initiative is deployed as part of the IRS 1075 September 2016 blueprint sample.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Access Control

Account Management (AC-2)

ID: IRS 1075 9.3.1.2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Information Flow Enforcement (AC-4)

ID: IRS 1075 9.3.1.4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0

Separation of Duties (AC-5)

ID: IRS 1075 9.3.1.5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 1.0.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Least Privilege (AC-6)

ID: IRS 1075 9.3.1.6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 1.0.0
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 1.0.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Remote Access (AC-17)

ID: IRS 1075 9.3.1.12

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

Awareness and Training

Content of Audit Records (AU-3)

ID: IRS 1075 9.3.3.3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Log Analytics Agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0-preview
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0
Virtual machines should be connected to a specified workspace Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. AuditIfNotExists, Disabled 1.1.0

Response to Audit Processing Failures (AU-5)

ID: IRS 1075 9.3.3.5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

Audit Review, Analysis, and Reporting (AU-6)

ID: IRS 1075 9.3.3.6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Log Analytics Agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0-preview
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0
Virtual machines should be connected to a specified workspace Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. AuditIfNotExists, Disabled 1.1.0

Audit Generation (AU-12)

ID: IRS 1075 9.3.3.11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Log Analytics Agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0-preview
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0
Virtual machines should be connected to a specified workspace Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. AuditIfNotExists, Disabled 1.1.0

Configuration Management

Least Functionality (CM-7)

ID: IRS 1075 9.3.5.7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0

User-Installed Software (CM-11)

ID: IRS 1075 9.3.5.11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0

Contingency Planning

Alternate Processing Site (CP-7)

ID: IRS 1075 9.3.6.6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0

Identification and Authentication

Identification and Authentication (Organizational Users) (IA-2)

ID: IRS 1075 9.3.7.2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0

Authenticator Management (IA-5)

ID: IRS 1075 9.3.7.5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1

Risk Assessment

Vulnerability Scanning (RA-5)

ID: IRS 1075 9.3.14.3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

System and Communications Protection

Denial of Service Protection (SC-5)

ID: IRS 1075 9.3.16.4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0

Boundary Protection (SC-7)

ID: IRS 1075 9.3.16.5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

Transmission Confidentiality and Integrity (SC-8)

ID: IRS 1075 9.3.16.6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. AuditIfNotExists, Disabled 3.0.0

Protection of Information at Rest (SC-28)

ID: IRS 1075 9.3.16.15

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage and Different disk encryption offerings. AuditIfNotExists, Disabled 2.0.2

System and Information Integrity

Flaw Remediation (SI-2)

ID: IRS 1075 9.3.17.2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 3.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

Malicious Code Protection (SI-3)

ID: IRS 1075 9.3.17.3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

Information System Monitoring (SI-4)

ID: IRS 1075 9.3.17.4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Log Analytics Agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0-preview
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. AuditIfNotExists, Disabled 2.0.0
Virtual machines should be connected to a specified workspace Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. AuditIfNotExists, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: