Security recommendations - a reference guide

This article lists the recommendations you might see in Azure Security Center. The recommendations shown in your environment depend on the resources you're protecting and your customized configuration.

Security Center's recommendations are based on best practices. Some are aligned with the Azure Security Benchmark, the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. Learn more about Azure Security Benchmark.

To learn about how to respond to these recommendations, see Remediate recommendations in Azure Security Center.

Your Secure Score is based on the number of Security Center recommendations you've completed. To decide which recommendations to resolve first, look at the severity of each one and its potential impact on your Secure Score.

Tip

If a recommendation's description says "No related policy", it's usually because that recommendation is dependent on a different recommendation and its policy. For example, the recommendation "Endpoint protection health failures should be remediated...", relies on the recommendation that checks whether an endpoint protection solution is even installed ("Endpoint protection solution should be installed..."). The underlying recommendation does have a policy. Limiting the policies to only the foundational recommendation simplifies policy management.

Network recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources.
(Related policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines)
High N Virtual machine
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall.
(Related policy: [Preview] All Internet traffic should be routed via your deployed Azure Firewall)
High N Subnet
All network ports should be restricted on network security groups associated to your virtual machine Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.
This recommendation is triggered when any port is opened to all sources (except for ports 22, 3389, 5985, 5986, 80, and 1443).
(Related policy: All network ports should be restricted on network security groups associated to your virtual machine)
High N Virtual machine
DDoS Protection Standard should be enabled Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS protection enables mitigation of network volumetric and protocol attacks.
(Related policy: DDoS Protection Standard should be enabled)
High N Virtual network
Function App should only be accessible over HTTPS Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Function App should only be accessible over HTTPS)
Medium Y Function app
Internet-facing virtual machines should be protected with Network Security Groups Enable Network Security Groups to control network access of your virtual machines.
(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)
High/ Medium N Virtual machine
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access to them with network security groups (NSG).
NSGs contain access-control lists (ACL) and can be assigned to the VM's NIC or subnet. The ACL rules allow or deny network traffic to the assigned resource.
(Related policy: Non-internet-facing virtual machines should be protected with network security groups)
Low N Virtual machine
IP forwarding on your virtual machine should be disabled Disable IP forwarding. When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
(Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled)
Medium N Virtual machine
Management ports of virtual machines should be protected with just-in-time network access control Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.
(Related policy: Management ports of virtual machines should be protected with just-in-time network access control)
High N Virtual machine
Management ports should be closed on your virtual machines Harden the network security group of your virtual machines to restrict access to management ports.
(Related policy: Management ports should be closed on your virtual machines)
High N Virtual machine
Virtual networks should be protected by Azure Firewall Some of your virtual networks aren't protected with a firewall. Use Azure Firewall to restrict access to your virtual networks and prevent potential threats.
Learn more about Azure Firewall.
(Related policy: Virtual networks should be protected by Azure Firewall)
Low N Virtual network
Secure transfer to storage accounts should be enabled Enable secure transfer to storage accounts. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks, such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High Y Storage account
Subnets should be associated with a Network Security Group Enable network security groups to control network access of resources deployed in your subnets.
(Related policy: Subnets should be associated with a Network Security Group.
This policy is disabled by default)
High/ Medium N Subnet
Web Application should only be accessible over HTTPS Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Web Application should only be accessible over HTTPS)
Medium Y Web application

Container recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Azure Defender for container registries should be enabled To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities. Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
Important: Remediating this recommendation will result in charges for protecting your ACR registries. If you don't have any ACR registries in this subscription, no charges will be incurred. If you create any ACR registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Container Registry registries)
High Y Subscription
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Important: Remediating this recommendation will result in charges for protecting your AKS clusters. If you don't have any AKS clusters in this subscription, no charges will be incurred. If you create any AKS clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Kubernetes Service clusters)
High Y Subscription
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.
(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)
High Y Kubernetes Service
Azure Policy add-on for Kubernetes should be installed and enabled on your clusters Azure Policy add-on for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale automountServiceAccountToken enforcements and safeguards on your clusters in a centralized, consistent manner.
Security Center requires the add-on to audit and enforce security capabilities and compliance inside your clusters. Learn more.
(Related policy: [Preview]: Azure Policy add-on for Kubernetes should be installed and enabled on your clusters)
High Y Kubernetes Service
Container CPU and memory limits should be enforced Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).
We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
(Related policy: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster)
Medium N Kubernetes Service
Container images should be deployed from trusted registries only Images running on your Kubernetes cluster should come from known and monitored container image registries.
Trusted registries reduce your cluster exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues, and malicious images.
(Related policy: [Preview]: Ensure only allowed container images in Kubernetes cluster)
High N Kubernetes Service
Container with privilege escalation should be avoided Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.
The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.
(Related policy: [Preview]: Kubernetes clusters should not allow container privilege escalation)
Medium N Kubernetes Service
Containers sharing sensitive host namespaces should be avoided To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster ​.
(Related policy: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace)
Medium No Kubernetes cluster
Containers should listen on allowed ports only To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers’ access to the configured ports..
(Related policy: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster)
Medium N Kubernetes Service
Immutable (read-only) root filesystem should be enforced for containers Containers should run with a read only root file system in your Kubernetes cluster.
Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.
(Related policy: [Preview]: Kubernetes cluster containers should run with a read only root file system)
Medium N Kubernetes Service
Least privileged Linux capabilities should be enforced for containers To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user.
We recommend dropping all capabilities, then adding those that are required.
(Related policy: [Preview]: Kubernetes cluster containers should only use allowed capabilities)
Medium N Kubernetes Service
Overriding or disabling of containers AppArmor profile should be restricted Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.
AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.
(Related policy: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles)
High N Kubernetes Service
Privileged containers should be avoided To prevent unrestricted host access, avoid privileged containers whenever possible.
Privileged containers have all of the root capabilities of a host machine. They can be used as entry points for attacks, and to spread malicious code or malware to compromised applications, hosts, and networks.
(Related policy: [Preview]: Do not allow privileged containers in Kubernetes cluster)
Medium N Kubernetes Service
Role-based access control should be used to restrict access to a Kubernetes Service Cluster To provide granular filtering of the actions that users can perform, use Azure role-based access control (Azure RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see Azure role-based access control.
(Related policy: [Preview]: Azure role-based access control (Azure RBAC) should be used on Kubernetes Services)
Medium N Kubernetes Service
Running containers as root user should be avoided Containers should run as a non-root users in your Kubernetes cluster.
Running a process as the root user inside a container runs it as root on the host.
In case of compromise, an attacker has root in the container, and any misconfigurations become easier to exploit.
(Related policy: [Preview]: Kubernetes cluster containers should run as a non-root users)
High N Kubernetes Service
Services should listen on allowed ports only To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services’ access to the configured ports..
(Related policy: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster)
Medium N Kubernetes Service
The Kubernetes Service should be upgraded to the latest Kubernetes version Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see Kubernetes CVEs.
(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)
High N Kubernetes Service
Usage of host networking and ports should be restricted Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster.
Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.
(Related policy: [Preview]: Kubernetes cluster pods should only use approved host network and port range)
Medium N Kubernetes Service
Usage of pod HostPath volume mounts should be restricted to a known list To reduce the attack surface of your Kubernetes cluster, limitipod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths.
In case of compromise, the container node access from the containers should be restricted.
(Related policy: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths)
Medium N Kubernetes Service
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
(No related policy)
High N Container Registry

App Service recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
API App should only be accessible over HTTPS Limit access of API Apps over HTTPS only.
(Related policy: API App should only be accessible over HTTPS)
Medium N App service
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
Azure Defender for App Service can discover attacks on your applications and identify emerging attacks.
Important: Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred. If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure App Service plans)
High Y Subscription
CORS should not allow every resource to access your API App Allow only required domains to interact with your API application. Cross origin resource sharing (CORS) should not allow all domains to access your API application.
(Related policy: CORS should not allow every resource to access your API App)
Low Y App service
CORS should not allow every resource to access your Function App Allow only required domains to interact with your function application. Cross origin resource sharing (CORS) should not allow all domains to access your function application.
(Related policy: CORS should not allow every resource to access your Function App)
Low Y App service
CORS should not allow every resource to access your Web Applications Allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.
(Related policy: CORS should not allow every resource to access your Web Application)
Low Y App service
Diagnostic logs in App Services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in App Services should be enabled)
Low N App service
Function App should only be accessible over HTTPS Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Function App should only be accessible over HTTPS)
Medium Y App service
Remote debugging should be turned off for API App Turn off debugging for API App if you no longer need to use it. Remote debugging requires inbound ports to be opened on an API App.
(Related policy: Remote debugging should be turned off for API App)
Low Y App service
Remote debugging should be turned off for Function App Turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.
(Related policy: Remote debugging should be turned off for Function App)
Low Y App service
Remote debugging should be turned off for Web Applications Turn off debugging for Web Applications if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web App.
(Related policy: Remote debugging should be turned off for Web Application)
Low Y App service
Web Application should only be accessible over HTTPS Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Web Application should only be accessible over HTTPS)
Medium Y App service
Web apps should request an SSL certificate for all incoming requests Client certificates allow for the app to request a certificate for incoming requests.
Only clients that have a valid certificate will be able to reach the app.
(Related policy: [Preview]: Web apps should request an SSL certificate for all incoming requests)
Medium No App service
TLS should be updated to the latest version for your API app Upgrade to the latest TLS version
(Related policy: [Preview]: TLS should be updated to the latest version for your API app)
High No App service
Diagnostic logs should be enabled in App Service Audit enabling of diagnostic logs on the app.
This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised
(Related policy: [Preview]: Diagnostic logs should be enabled in App Service)
Medium No App service
Managed identity should be used in your API app For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(Related policy: [Preview]: Managed identity should be used in your API app)
Medium No App service
TLS should be updated to the latest version for your web app Upgrade to the latest TLS version
(Related policy: [Preview]: TLS should be updated to the latest version for your web app)
High No App service
TLS should be updated to the latest version for your function app Upgrade to the latest TLS version
(Related policy: [Preview]: TLS should be updated to the latest version for your function app)
High No App service
PHP should be updated to the latest version for your API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: PHP should be updated to the latest version for your API app)
Medium No App service
PHP should be updated to the latest version for your web app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: PHP should be updated to the latest version for your web app)
Medium No App service
Java should be updated to the latest version for your web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Java should be updated to the latest version for your web app)
Medium No App service
Java should be updated to the latest version for your function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Java should be updated to the latest version for your function app)
Medium No App service
Java should be updated to the latest version for your API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Java should be updated to the latest version for your API app)
Medium No App service
Python should be updated to the latest version for your web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Python should be updated to the latest version for your web app)
Medium No App service
Python should be updated to the latest version for your function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Python should be updated to the latest version for your function app)
Medium No App service
Python should be updated to the latest version for your API app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(Related policy: [Preview]: Python should be updated to the latest version for your API app)
Medium No App service
FTPS should be required in your function App Enable FTPS enforcement for enhanced security
(Related policy: [Preview]: FTPS should be required in your function App)
High No App service
FTPS should be required in your web App Enable FTPS enforcement for enhanced security
(Related policy: [Preview]: FTPS should be required in your web App)
High No App service
FTPS should be required in your API App Enable FTPS enforcement for enhanced security
(Related policy: [Preview]: FTPS should be required in your API App)
High No App service

Compute and app recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Adaptive Application Controls should be enabled on virtual machines Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules.
(Related policy: Adaptive Application Controls should be enabled on virtual machines)
High N Machine
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)
Low N Compute resources (event hub)
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)
Low N Compute resources (service bus)
Authorization rules on the Event Hub entity should be defined Audit authorization rules on the Event Hub entity to grant least-privileged access.
(Related policy: Authorization rules on the Event Hub entity should be defined)
Low N Compute resources (event hub)
Automation account variables should be encrypted Enable encryption of Automation account variable assets when storing sensitive data.
(Related policy: Encryption should be enabled on Automation account variables)
High N Compute resources (automation account)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
You can use this information to quickly remediate security issues and improve the security of your virtual machines.
Important: Remediating this recommendation will result in charges for protecting your virtual machines. If you don't have any virtual machines in this subscription, no charges will be incurred. If you create any virtual machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on virtual machines)
High Y Subscription
Diagnostic logs in Azure Stream Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Stream Analytics should be enabled)
Low Y Compute resources (stream analytics)
Diagnostic logs in Batch accounts should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Batch accounts should be enabled)
Low Y Compute resources (batch)
Diagnostic logs in Event Hub should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Event Hub should be enabled)
Low Y Compute resources (event hub)
Diagnostic logs in Logic Apps should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Logic Apps should be enabled)
Low Y Compute resources (logic apps)
Diagnostic logs in Search services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Search services should be enabled)
Low Y Compute resources (search)
Diagnostic logs in Service Bus should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Service Bus should be enabled)
Low Y Compute resources (service bus)
Disk encryption should be applied on virtual machines Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.
(Related policy: Disk encryption should be applied on virtual machines)
High N Machine
Enable the built-in vulnerability assessment solution on virtual machines Install the Qualys agent (included with Azure Defender) to enable a best of breed vulnerability assessment solution on your virtual machines.
(Related policy: Vulnerability assessment should be enabled on virtual machines)
Medium Y Machine
Endpoint protection health issues should be resolved on your machines For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.
(This recommendation is dependent upon the recommendation "Install endpoint protection solution on your machines" and its policy)
Medium N Machine
Guest configuration extension should be installed on Windows virtual machines (Preview) Install the guest configuration agent to enable auditing settings inside a machine such as: the configuration of the operating system, application configuration or presence, environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
(Related policy: Audit prerequisites to enable Guest Configuration policies on Windows VMs)
High Y Machine
Install endpoint protection solution on virtual machines Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.
(No related policy)
Medium N Machine
Install endpoint protection solution on your machines Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.
(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
Medium N Machine
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace. In some cases, the agent may fail to properly report security events, due to multiple reasons. In these cases, coverage may be partial - security events won't be properly processed, and in turn threat detection for the affected VMs may fail to function. View remediation steps for more information on how to resolve each issue.
(No related policy - dependent upon "Log Analytics agent health issues should be resolved on your machines")
Medium N Machine
Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview) Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(Related policy: [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines)
High Y Azure Arc Machine
Log Analytics agent should be installed on your virtual machines Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis.
This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.
We recommend configuring auto-provisioning to automatically deploy the agent.
If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.
(No related policy)
High Y Machine
Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview) Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(Related policy: [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines)
High Y Azure Arc Machine
Network traffic data collection agent should be installed on Linux virtual machines (Preview) Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(Related policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines)
Medium Y Machine
Network traffic data collection agent should be installed on Windows virtual machines (Preview) Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(Related policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines)
Medium Y Machine
OS version should be updated for your cloud service roles Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.
(No related policy)
High N Machine
Remediate vulnerabilities found on your virtual machines (powered by Qualys) Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).
(Related policy: Vulnerability Assessment should be enabled on Virtual Machines)
Low N Machine
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)
High N Compute resources (service fabric)
Service Fabric clusters should only use Azure Active Directory for client authentication Perform Client authentication only via Azure Active Directory in Service Fabric.
(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)
High N Compute resources (service fabric)
System updates should be installed on your machines Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers
(Related policy: System updates should be installed on your machines)
High N Machine
Virtual machines should be migrated to new Azure Resource Manager resources Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (Azure RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)
Low N Machine
Vulnerabilities in container security configurations should be remediated Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.
(Related policy: Vulnerabilities in container security configurations should be remediated)
High N Machine
Vulnerabilities in security configuration on your machines should be remediated Remediate vulnerabilities in security configuration on your machines to protect them from attacks.
(Related policy: Vulnerabilities in security configuration on your machines should be remediated)
Low N Machine
Vulnerabilities should be remediated by a Vulnerability Assessment solution Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.
(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
High N Machine
Vulnerability assessment solution should be installed on your virtual machines Install a vulnerability assessment solution on your virtual machines
(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
Medium N Machine
Windows Defender Exploit Guard should be enabled on your machines (Preview) Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
(Related policy: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled)
Medium N Machine
Your machines should be restarted to apply system updates Restart your machines to apply the system updates and secure the machine from vulnerabilities.
(No related policy - dependent upon "System updates should be installed on your machines")
Medium N Machine
Azure Backup should be enabled for virtual machines Protect the data on your Azure virtual machines with Azure Backup.
Azure Backup is an Azure-native, cost-effective, data protection solution.
It creates recovery points that are stored in geo-redundant recovery vaults.
When you restore from a recovery point, you can restore the whole VM or specific files.
(Related policy: [Preview]: Azure Backup should be enabled for virtual machines)
Low No Virtual machine

Virtual machine scale set recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Diagnostic logs in Virtual Machine Scale Sets should be enabled Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.
(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)
Low N Virtual machine scale set
Endpoint protection health failures should be remediated on virtual machine scale sets Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.
(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")
Low N Virtual machine scale set
Endpoint protection solution should be installed on virtual machine scale sets Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.
(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
High N Virtual machine scale set
Log Analytics agent should be installed on your virtual machine scale sets Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA) , which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.
You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets.
To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.
High Y Virtual machine scale set
System updates on virtual machine scale sets should be installed Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.
(Related policy: System updates on virtual machine scale sets should be installed)
High N Virtual machine scale set
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. 
(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)
High N Virtual machine scale set

Data and storage recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Access to storage accounts with firewall and virtual network configurations should be restricted Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.
(Related policy: Audit unrestricted network access to storage accounts)
Low N Storage account
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred. If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced data security should be enabled on Azure SQL Database servers)
High Y Subscription
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. If you don't have any SQL servers on machines in this subscription, no charges will be incurred. If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced data security should be enabled on SQL servers on machines)
High Y Subscription
Azure Defender for SQL should be enabled on your managed instances Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.
(Related policy: Advanced data security should be enabled on SQL Managed Instance)
High Y SQL
Azure Defender for SQL should be enabled on your SQL servers Azure Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. Azure Defender for SQL is billed as shown on the pricing page.
(Related policy: Advanced data security should be enabled on your SQL servers)
High Y SQL
An Azure Active Directory administrator should be provisioned for SQL Database Provision an Azure AD administrator for your SQL Database to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)
High N SQL
Auditing on SQL Database should be enabled Enable auditing for SQL Database.
(Related policy: Auditing should be enabled for SQL Database on advanced data security settings for your server)
Low Y SQL
Azure Defender for Storage should be enabled Azure Defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. If you don't have any Azure Storage accounts in this subscription, no charges will be incurred. If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Storage accounts)
High Y Subscription
Diagnostic logs in Azure Data Lake Store should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)
Low Y Data lake store
Diagnostic logs in Data Lake Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)
Low Y Data lake analytics
Only secure connections to your Redis Cache should be enabled Enable only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Only secure connections to your Redis Cache should be enabled)
High N Redis
Secure transfer to storage accounts should be enabled Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High N Storage account
Sensitive data in your SQL databases should be classified Azure SQL Database Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. Once your data is classified, you can use Azure SQL Database auditing to audit access and monitor the sensitive data. Azure SQL Database also enables advanced threat protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.
(Related policy: [Preview]: Sensitive data in your SQL databases should be classified)
High N SQL
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.
(Related policy: Storage account public access should be disallowed)
Medium Y Storage account
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (Azure RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)
Low N Storage account
Transparent Data Encryption on SQL databases should be enabled Enable transparent data encryption to protect data-at-rest and meet compliance requirements.
(Related policy: Transparent Data Encryption on SQL databases should be enabled)
Low Y SQL
Vulnerability assessment findings on your SQL databases should be remediated SQL Vulnerability assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.
(Related policy: Vulnerabilities on your SQL databases should be remediated)
High N SQL
Vulnerability assessment findings on your SQL servers on machines should be remediated (Preview) SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature. High N SQL
Vulnerability assessment should be enabled on SQL Database Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(Related policy: Vulnerability assessment should be enabled on your SQL servers)
High Y SQL
Vulnerability assessment should be enabled on SQL Managed Instance Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(Related policy: Vulnerability assessment should be enabled on SQL Managed Instance)
High Y SQL
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.
(Related policy: [Preview]: Geo-redundant backup should be enabled for Azure Database for MariaDB)
Low No Azure Database for MariaDB servers
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.
(Related policy: [Preview]: Geo-redundant backup should be enabled for Azure Database for PostgreSQL)
Low No Azure Database for PostgreSQL
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server.
It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
Configuring geo-redundant storage for backup is only allowed when creating a server.
(Related policy: [Preview]: Geo-redundant backup should be enabled for Azure Database for MySQL)
Low No Azure Database for MySQL
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.
(Related policy: [Preview]: Enforce SSL connection should be enabled for PostgreSQL database servers)
Medium No PostgreSQL database servers
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
This configuration enforces that SSL is always enabled for accessing your database server.
(Related policy: [Preview]: Enforce SSL connection should be enabled for MySQL database servers)
Medium No MySQL database servers
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(Related policy: [Preview]: Private endpoint should be enabled for PostgreSQL servers)
Medium No PostgreSQL servers
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(Related policy: [Preview]: Private endpoint should be enabled for MariaDB servers)
Medium No Azure Database for MariaDB servers
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(Related policy: [Preview]: Private endpoint should be enabled for MySQL servers)
Medium No Azure Database for MySQL
Audit retention for SQL servers should be set to at least 90 days Audit SQL servers configured with an auditing retention period of less than 90 days.
(Related policy: [Preview]: Audit retention for SQL servers should be set to at least 90 days)
Low No SQL

Identity and access recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
A maximum of 3 owners should be designated for your subscription Designate fewer than three subscription owners in order to reduce the potential for breach by a compromised owner.
(Related policy: A maximum of 3 owners should be designated for your subscription)
High N Subscription
Azure Defender for Key Vault should be enabled Azure Security Center includes Azure Defender for Key Vault, providing an additional layer of security intelligence. Azure Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts.
Important: Remediating this recommendation will result in charges for protecting your AKV vaults. If you don't have any AKV vaults in this subscription, no charges will be incurred. If you create any AKV vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
(Related policy: Advanced threat protection should be enabled on Azure Key Vault vaults)
High Y Subscription
Deprecated accounts should be removed from your subscription Remove deprecated accounts from your subscriptions to enable access to only current users.
(Related policy: Deprecated accounts should be removed from your subscription)
High N Subscription
Deprecated accounts with owner permissions should be removed from your subscription Remove deprecated accounts with owner permissions from your subscriptions.
(Related policy: Deprecated accounts with owner permissions should be removed from your subscription)
High N Subscription
Diagnostic logs in Key Vault should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Key Vault should be enabled)
Low Y Key Vault
External accounts with owner permissions should be removed from your subscription Remove external accounts with owner privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with owner permissions should be removed from your subscription)
High N Subscription
External accounts with read permissions should be removed from your subscription Remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with read permissions should be removed from your subscription)
High N Subscription
External accounts with write permissions should be removed from your subscription Remove external accounts with write privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with write permissions should be removed from your subscription)
High N Subscription
MFA should be enabled on accounts with owner permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with owner privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with owner permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with read permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with read permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with write permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with write permissions on your subscription)
High N Subscription
Service principals should be used to protect your subscriptions instead of Management Certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. Medium No Subscription
There should be more than one owner assigned to your subscription Designate more than one subscription owner in order to have administrator access redundancy.
(Related policy: There should be more than one owner assigned to your subscription)
High N Subscription
Managed identity should be used in your function app For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(Related policy: [Preview]: Managed identity should be used in your function app)
Medium No App service
Managed identity should be used in your web app For enhanced authentication security, use a managed identity.
On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(Related policy: [Preview]: Managed identity should be used in your web app)
Medium No App service

Deprecated recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Access to App Services should be restricted Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
(Related policy: [Preview]: Access to App Services should be restricted)
High N App service
The rules for web applications on IaaS NSGs should be hardened Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.
(Related policy: The NSGs rules for web applications on IaaS should be hardened)
High N Virtual machine
Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.
(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)
Medium N Compute resources (Containers)
Install Azure Security Center for IoT security module to get more visibility into your IoT devices Install Azure Security Center for IoT security module to get more visibility into your IoT devices. Low N IoT device

Next steps

To learn more about recommendations, see the following: