Security recommendations - a reference guide

This article lists the recommendations you might see in Azure Security Center. The recommendations shown in your environment depend on the resources you're protecting and your customized configuration.

Security Center's recommendations are based on best practices. Some are aligned with the Azure Security Benchmark, the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. Learn more about Azure Security Benchmark.

To learn about how to respond to these recommendations, see Remediate recommendations in Azure Security Center.

Your Secure Score is based on the number of Security Center recommendations you've completed. To decide which recommendations to resolve first, look at the severity of each one and its potential impact on your Secure Score.

Tip

If a recommendation's description says "No related policy", it's usually because that recommendation is dependent on a different recommendation and its policy. For example, the recommendation "Endpoint protection health failures should be remediated...", relies on the recommendation that checks whether an endpoint protection solution is even installed ("Endpoint protection solution should be installed..."). The underlying recommendation does have a policy. Limiting the policies to only the foundational recommendation simplifies policy management.

Network recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Customers on the standard pricing tier will see this recommendation when the Adaptive Network Hardening feature finds an overly-permissive NSG rule.
(Related policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines)
High N Virtual machine
All network ports should be restricted on NSG associated to your VM Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.
This recommendation is triggered when any port is opened to all sources (except for ports 22, 3389, 5985, 5986, 80, and 1443).
(Related policy: Access through internet facing endpoint should be restricted)
High N Virtual machine
DDoS Protection Standard should be enabled Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS protection enables mitigation of network volumetric and protocol attacks.
(Related policy: DDoS Protection Standard should be enabled)
High N Virtual network
Function App should only be accessible over HTTPS Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Function App should only be accessible over HTTPS)
Medium Y Function app
Internet-facing virtual machines should be protected with Network Security Groups Enable Network Security Groups to control network access of your virtual machines.
(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)
High/ Medium N Virtual machine
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access to them with network security groups (NSG).
NSGs contain access-control lists (ACL) and can be assigned to the VM's NIC or subnet. The ACL rules allow or deny network traffic to the assigned resource.
(Related policy: Non-internet-facing virtual machines should be protected with network security groups)
Low N Virtual machine
IP forwarding on your virtual machine should be disabled Disable IP forwarding. When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
(Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled)
Medium N Virtual machine
Management ports of virtual machines should be protected with just-in-time network access control Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.
(Related policy: Management ports of virtual machines should be protected with just-in-time network access control)
High N Virtual machine
Management ports should be closed on your virtual machines Harden the network security group of your virtual machines to restrict access to management ports.
(Related policy: Management ports should be closed on your virtual machines)
High N Virtual machine
Secure transfer to storage accounts should be enabled Enable secure transfer to storage accounts. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks, such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High Y Storage account
Subnets should be associated with a Network Security Group Enable network security groups to control network access of resources deployed in your subnets.
(Related policy: Subnets should be associated with a Network Security Group.
This policy is disabled by default)
High/ Medium N Subnet
Web Application should only be accessible over HTTPS Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Web Application should only be accessible over HTTPS)
Medium Y Web application

Container recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Advanced threat protection should be enabled on Azure Kubernetes Service clusters Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your AKS clusters. If you don't have any AKS clusters in this subscription, no charges will be incurred. If you create any AKS clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Kubernetes Service clusters)
High Y Subscription
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.
(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)
High N Compute resources (Containers)
Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.
(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)
Medium N Compute resources (Containers)
Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see Azure role-based access control.
(Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services)
Medium N Compute resources (Containers)
The Kubernetes Service should be upgraded to the latest Kubernetes version Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see Kubernetes CVEs.
(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)
High N Compute resources (Containers)
Advanced threat protection should be enabled on Azure Container Registry registries To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities. Security Center scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
Important: Remediating this recommendation will result in charges for protecting your ACR registries. If you don't have any ACR registries in this subscription, no charges will be incurred. If you create any ACR registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Container Registry registries)
High Y Subscription
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
(No related policy)
High N Compute resources (Containers)

App Service recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Advanced threat protection should be enabled on Azure App Service plans Security Center leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred. If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure App Service plans)
High Y Subscription
Web Application should only be accessible over HTTPS Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Web Application should only be accessible over HTTPS)
Medium Y App service
Function App should only be accessible over HTTPS Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Function App should only be accessible over HTTPS)
Medium Y App service
API App should only be accessible over HTTPS Limit access of API Apps over HTTPS only.
(Related policy: API App should only be accessible over HTTPS)
Medium N App service
Remote debugging should be turned off for Web Applications Turn off debugging for Web Applications if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web App.
(Related policy: Remote debugging should be turned off for Web Application)
Low Y App service
Remote debugging should be turned off for Function App Turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.
(Related policy: Remote debugging should be turned off for Function App)
Low Y App service
Remote debugging should be turned off for API App Turn off debugging for API App if you no longer need to use it. Remote debugging requires inbound ports to be opened on an API App.
(Related policy: Remote debugging should be turned off for API App)
Low Y App service
CORS should not allow every resource to access your Web Applications Allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.
(Related policy: CORS should not allow every resource to access your Web Application)
Low Y App service
CORS should not allow every resource to access your Function App Allow only required domains to interact with your function application. Cross origin resource sharing (CORS) should not allow all domains to access your function application.
(Related policy: CORS should not allow every resource to access your Function App)
Low Y App service
CORS should not allow every resource to access your API App Allow only required domains to interact with your API application. Cross origin resource sharing (CORS) should not allow all domains to access your API application.
(Related policy: CORS should not allow every resource to access your API App)
Low Y App service
Diagnostic logs in App Services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in App Services should be enabled)
Low N App service

Compute and app recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Advanced threat protection should be enabled on virtual machines Security Center provides real-time threat protection for your virtual machine workloads and generates hardening recommmendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your virtual machines.
Important: Remediating this recommendation will result in charges for protecting your virtual machines. If you don't have any virtual machines in this subscription, no charges will be incurred. If you create any virtual machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on virtual machines)
High Y Subscription
Diagnostic logs in Azure Stream Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Stream Analytics should be enabled)
Low Y Compute resources (stream analytics)
Diagnostic logs in Batch accounts should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Batch accounts should be enabled)
Low Y Compute resources (batch)
Diagnostic logs in Event Hub should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Event Hub should be enabled)
Low Y Compute resources (event hub)
Diagnostic logs in Logic Apps should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Logic Apps should be enabled)
Low Y Compute resources (logic apps)
Diagnostic logs in Search services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Search services should be enabled)
Low Y Compute resources (search)
Diagnostic logs in Service Bus should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Service Bus should be enabled)
Low Y Compute resources (service bus)
Service Fabric clusters should only use Azure Active Directory for client authentication Perform Client authentication only via Azure Active Directory in Service Fabric.
(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)
High N Compute resources (service fabric)
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)
High N Compute resources (service fabric)
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)
Low N Compute resources (service bus)
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)
Low N Compute resources (event hub)
Authorization rules on the Event Hub entity should be defined Audit authorization rules on the Event Hub entity to grant least-privileged access.
(Related policy: Authorization rules on the Event Hub entity should be defined)
Low N Compute resources (event hub)
Install monitoring agent on your virtual machines Install the Monitoring agent to enable data collection, updates scanning, baseline scanning, and endpoint protection on each machine.
(No related policy)
High Y Machine
Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview) Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(Related policy: [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines)
High Y Azure Arc Machine
Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview) Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(Related policy: [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines)
High Y Azure Arc Machine
Guest configuration extension should be installed on Windows virtual machines (Preview) Install the guest configuration agent to enable auditing settings inside a machine such as: the configuration of the operating system, application configuration or presence, environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
(Related policy: Audit prerequisites to enable Guest Configuration policies on Windows VMs)
High Y Machine
Windows Defender Exploit Guard should be enabled on your machines (Preview) Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
(Related policy: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled)
Medium N Machine
Monitoring agent health issues should be resolved on your machines For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide
(No related policy - dependent upon "Install monitoring agent on your virtual machines")
Medium N Machine
Adaptive Application Controls should be enabled on virtual machines Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules.
(Related policy: Adaptive Application Controls should be enabled on virtual machines)
High N Machine
Install endpoint protection solution on your machines Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.
(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
Medium N Machine
Install endpoint protection solution on virtual machines Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.
(No related policy)
Medium N Machine
OS version should be updated for your cloud service roles Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.
(No related policy)
High N Machine
System updates should be installed on your machines Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers
(Related policy: System updates should be installed on your machines)
High N Machine
Network traffic data collection agent should be installed on Linux virtual machines (Preview) Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(Related policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines)
Medium Y Machine
Network traffic data collection agent should be installed on Windows virtual machines (Preview) Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(Related policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines)
Medium Y Machine
Enable the built-in vulnerability assessment solution on virtual machines Install the Qualys agent (built-in the Azure Security Center standard tier offering) to enable a best of breed vulnerability assessment solution on your virtual machines.
(Related policy: Vulnerability assessment should be enabled on virtual machines)
Medium Y Machine
Remediate vulnerabilities found on your virtual machines (powered by Qualys) Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).
(Related policy: Vulnerability Assessment should be enabled on Virtual Machines)
Low N Machine
Your machines should be restarted to apply system updates Restart your machines to apply the system updates and secure the machine from vulnerabilities.
(No related policy - dependent upon "System updates should be installed on your machines")
Medium N Machine
Automation account variables should be encrypted Enable encryption of Automation account variable assets when storing sensitive data.
(Related policy: Encryption should be enabled on Automation account variables)
High N Compute resources (automation account)
Disk encryption should be applied on virtual machines Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.
(Related policy: Disk encryption should be applied on virtual machines)
High N Machine
Virtual machines should be migrated to new Azure Resource Manager resources Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)
Low N Machine
Vulnerability assessment solution should be installed on your virtual machines Install a vulnerability assessment solution on your virtual machines
(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
Medium N Machine
Vulnerabilities should be remediated by a Vulnerability Assessment solution Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.
(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
High N Machine
Vulnerabilities in security configuration on your machines should be remediated Remediate vulnerabilities in security configuration on your machines to protect them from attacks.
(Related policy: Vulnerabilities in security configuration on your machines should be remediated)
Low N Machine
Vulnerabilities in container security configurations should be remediated Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.
(Related policy: Vulnerabilities in container security configurations should be remediated)
High N Machine
Endpoint protection health issues should be resolved on your machines For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.
(This recommendation is dependent upon the recommendation "Install endpoint protection solution on your machines" and its policy)
Medium N Machine

Virtual machine scale set recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Diagnostic logs in Virtual Machine Scale Sets should be enabled Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.
(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)
Low N Virtual machine scale set
Endpoint protection health failures should be remediated on virtual machine scale sets Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.
(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")
Low N Virtual machine scale set
Endpoint protection solution should be installed on virtual machine scale sets Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.
(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
High N Virtual machine scale set
Monitoring agent should be installed on virtual machine scale sets Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets. You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps. High Y Virtual machine scale set
System updates on virtual machine scale sets should be installed Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.
(Related policy: System updates on virtual machine scale sets should be installed)
High N Virtual machine scale set
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. 
(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)
High N Virtual machine scale set

Data and storage recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Advanced data security should be enabled on Azure SQL Database servers Advanced data security is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred. If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced data security should be enabled on Azure SQL Database servers)
High Y Subscription
Advanced data security should be enabled on SQL servers on machines Advanced data security is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred. If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced data security should be enabled on SQL servers on machines)
High Y Subscription
Advanced threat protection should be enabled on Azure Storage accounts Advanced threat protection for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred. If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Storage accounts)
High Y Subscription
Access to storage accounts with firewall and virtual network configurations should be restricted Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.
(Related policy: Audit unrestricted network access to storage accounts)
Low N Storage account
Advanced data security should be enabled on your managed instances Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed instance.
(Related policy: Advanced data security should be enabled on SQL Managed Instance)
High Y SQL
Advanced data security should be enabled on your SQL servers Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.
(Related policy: Advanced data security should be enabled on your SQL servers)
High Y SQL
An Azure Active Directory administrator should be provisioned for SQL Database Provision an Azure AD administrator for your SQL Database to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)
High N SQL
Auditing on SQL Database should be enabled Enable auditing for SQL Database.
(Related policy: Auditing should be enabled for SQL Database on advanced data security settings for your server)
Low Y SQL
Diagnostic logs in Azure Data Lake Store should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)
Low Y Data lake store
Diagnostic logs in Data Lake Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)
Low Y Data lake analytics
Only secure connections to your Redis Cache should be enabled Enable only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Only secure connections to your Redis Cache should be enabled)
High N Redis
Secure transfer to storage accounts should be enabled Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High N Storage account
Sensitive data in your SQL databases should be classified Azure SQL Database Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL Database auditing to audit access and monitor the sensitive data. Azure SQL Database also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.
(Related policy: [Preview]: Sensitive data in your SQL databases should be classified)
High N SQL
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)
Low N Storage account
Transparent Data Encryption on SQL databases should be enabled Enable transparent data encryption to protect data-at-rest and meet compliance requirements.
(Related policy: Transparent Data Encryption on SQL databases should be enabled)
Low Y SQL
Vulnerability assessment should be enabled on SQL Database Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(Related policy: Vulnerability assessment should be enabled on your SQL servers)
High Y SQL
Vulnerability assessment should be enabled on SQL Managed Instance Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(Related policy: Vulnerability assessment should be enabled on SQL Managed Instance)
High Y SQL
Vulnerability assessment findings on your SQL servers on machines should be remediated (Preview) SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature. High N SQL
Vulnerability assessment findings on your SQL databases should be remediated SQL Vulnerability assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.
(Related policy: Vulnerabilities on your SQL databases should be remediated)
High N SQL

Identity and access recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
MFA should be enabled on accounts with read permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with read permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with write permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with write permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with owner permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with owner privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with owner permissions on your subscription)
High N Subscription
External accounts with read permissions should be removed from your subscription Remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with read permissions should be removed from your subscription)
High N Subscription
External accounts with write permissions should be removed from your subscription Remove external accounts with write privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with write permissions should be removed from your subscription)
High N Subscription
External accounts with owner permissions should be removed from your subscription Remove external accounts with owner privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with owner permissions should be removed from your subscription)
High N Subscription
Deprecated accounts with owner permissions should be removed from your subscription Remove deprecated accounts with owner permissions from your subscriptions.
(Related policy: Deprecated accounts with owner permissions should be removed from your subscription)
High N Subscription
Deprecated accounts should be removed from your subscription Remove deprecated accounts from your subscriptions to enable access to only current users.
(Related policy: Deprecated accounts should be removed from your subscription)
High N Subscription
There should be more than one owner assigned to your subscription Designate more than one subscription owner in order to have administrator access redundancy.
(Related policy: There should be more than one owner assigned to your subscription)
High N Subscription
A maximum of 3 owners should be designated for your subscription Designate fewer than three subscription owners in order to reduce the potential for breach by a compromised owner.
(Related policy: A maximum of 3 owners should be designated for your subscription)
High N Subscription
Advanced threat protection should be enabled on Azure Key Vault vaults Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.
Important: Remediating this recommendation will result in charges for protecting your AKV vaults. If you don't have any AKV vaults in this subscription, no charges will be incurred. If you create any AKV vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Key Vault vaults)
High Y Subscription
Diagnostic logs in Key Vault should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Key Vault should be enabled)
Low Y Key Vault

Deprecated recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Access to App Services should be restricted Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
(Related policy: [Preview]: Access to App Services should be restricted)
High N App service
The rules for web applications on IaaS NSGs should be hardened Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.
(Related policy: The NSGs rules for web applications on IaaS should be hardened)
High N Virtual machine

Next steps

To learn more about recommendations, see the following: