Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the NIST SP 800-171 R2 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-171 R2 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Access Control

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

ID: NIST SP 800-171 R2 3.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 3.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 3.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0

Control the flow of CUI in accordance with approved authorizations.

ID: NIST SP 800-171 R2 3.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

ID: NIST SP 800-171 R2 3.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 1.0.0
Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs in which the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 1.0.0

Monitor and control remote access sessions.

ID: NIST SP 800-171 R2 3.1.12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 3.0.0
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 3.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

ID: NIST SP 800-171 R2 3.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.0-preview
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.1
Audit Log Analytics workspace for VM - Report Mismatch Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. audit 1.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

ID: NIST SP 800-171 R2 3.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.0-preview
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. auditIfNotExists 1.0.1
Audit Log Analytics workspace for VM - Report Mismatch Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. audit 1.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0
The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0

Alert in the event of an audit logging process failure.

ID: NIST SP 800-171 R2 3.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Audit diagnostic setting Audit diagnostic setting for selected resource types AuditIfNotExists 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 1.0.0

Configuration Management

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

ID: NIST SP 800-171 R2 3.4.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

ID: NIST SP 800-171 R2 3.4.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Control and monitor user-installed software.

ID: NIST SP 800-171 R2 3.4.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 1.0.2

Identification and Authentication

Identify system users, processes acting on behalf of users, and devices.

ID: NIST SP 800-171 R2 3.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

ID: NIST SP 800-171 R2 3.5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 3.0.0
Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 3.0.0

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

ID: NIST SP 800-171 R2 3.5.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

Enforce a minimum password complexity and change of characters when new passwords are created.

ID: NIST SP 800-171 R2 3.5.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 3.0.0
Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 3.0.0
Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0

Prohibit password reuse for a specified number of generations.

ID: NIST SP 800-171 R2 3.5.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0

Store and transmit only cryptographically-protected passwords.

ID: NIST SP 800-171 R2 3.5.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 3.0.0
Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 3.0.0
Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0

Risk Assessment

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

ID: NIST SP 800-171 R2 3.11.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists, Disabled 1.0.0

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

ID: NIST SP 800-171 R2 3.13.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Access through Internet facing endpoint should be restricted Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources. AuditIfNotExists, Disabled 1.0.0
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

ID: NIST SP 800-171 R2 3.13.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Access through Internet facing endpoint should be restricted Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources. AuditIfNotExists, Disabled 1.0.0
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.0

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

ID: NIST SP 800-171 R2 3.13.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol deployIfNotExists 1.2.0
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol auditIfNotExists 1.0.0
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled 1.0.0

Protect the confidentiality of CUI at rest.

ID: NIST SP 800-171 R2 3.13.16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 1.0.0

System and Information Integrity

Identify, report, and correct system flaws in a timely manner.

ID: NIST SP 800-171 R2 3.14.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure that '.NET Framework' version is the latest, if used as a part of the API app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Function App Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that '.NET Framework' version is the latest, if used as a part of the Web app Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Api app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'HTTP Version' is the latest, if used to run the Web app Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, Disabled 1.0.0
Ensure that 'Java version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.1
Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the Api app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the Function app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.0.0
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit, Disabled 1.0.1-preview
Latest TLS version should be used in your API App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Function App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
Latest TLS version should be used in your Web App Upgrade to the latest TLS version AuditIfNotExists, Disabled 1.0.0
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 1.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists, Disabled 1.0.0

Provide protection from malicious code at designated locations within organizational systems.

ID: NIST SP 800-171 R2 3.14.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists, Disabled 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 1.0.0

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

ID: NIST SP 800-171 R2 3.14.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0
A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0
Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.1
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Email notification to subscription owner for high severity alerts should be enabled Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0

Note

Availability of specific Azure Policy definitions may vary in Azure Government and other national clouds.

Next steps

Additional articles about Azure Policy: