Azure Policy Regulatory Compliance controls for Azure Virtual Machines

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-1 Implement security for internal traffic Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security NS-1 Implement security for internal traffic Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-1 Implement security for internal traffic IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security NS-1 Implement security for internal traffic Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security NS-1 Implement security for internal traffic Management ports should be closed on your virtual machines 3.0.0
Network Security NS-4 Protect applications and services from external network attacks Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security NS-4 Protect applications and services from external network attacks Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-4 Protect applications and services from external network attacks IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security NS-4 Protect applications and services from external network attacks Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Data Protection DP-2 Protect sensitive data Disk encryption should be applied on virtual machines 2.0.0
Data Protection DP-4 Encrypt sensitive information in transit Windows web servers should be configured to use secure communication protocols 2.0.0
Data Protection DP-5 Encrypt sensitive data at rest Disk encryption should be applied on virtual machines 2.0.0
Asset Management AM-3 Use only approved Azure services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Asset Management AM-6 Use only approved applications in compute resources Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Logging and Threat Detection LT-3 Enable logging for Azure network activities Network traffic data collection agent should be installed on Linux virtual machines 1.0.1-preview
Logging and Threat Detection LT-3 Enable logging for Azure network activities Network traffic data collection agent should be installed on Windows virtual machines 1.0.1-preview
Logging and Threat Detection LT-4 Enable logging for Azure resources Resource logs in Virtual Machine Scale Sets should be enabled 2.0.1
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent health issues should be resolved on your machines 1.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Vulnerabilities in container security configurations should be remediated 3.0.0
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities System updates on virtual machine scale sets should be installed 3.0.0
Posture and Vulnerability Management PV-7 Rapidly and automatically remediate software vulnerabilities System updates should be installed on your machines 3.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 1.1.1
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Backup and Recovery BR-1 Ensure regular automated backups Azure Backup should be enabled for Virtual Machines 1.0.1
Backup and Recovery BR-2 Encrypt backup data Azure Backup should be enabled for Virtual Machines 1.0.1

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports should be closed on your virtual machines 3.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Administrative Templates - Network' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Logging and Monitoring 2.2 Configure central security log management Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.2 Configure central security log management The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Logging and Monitoring 2.2 Configure central security log management The Log Analytics agent should be installed on virtual machines 1.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources Resource logs in Virtual Machine Scale Sets should be enabled 2.0.1
Logging and Monitoring 2.4 Collect security logs from operating systems Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems The Log Analytics agent should be installed on virtual machines 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have the specified members in the Administrators group 1.0.0
Data Protection 4.8 Encrypt sensitive information at rest Disk encryption should be applied on virtual machines 2.0.0
Data Protection 4.8 Encrypt sensitive information at rest Unattached disks should be encrypted 1.0.0
Vulnerability Management 5.1 Run automated vulnerability scanning tools A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates on virtual machine scale sets should be installed 3.0.0
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates should be installed on your machines 3.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Inventory and Asset Management 6.8 Use only approved applications Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Inventory and Asset Management 6.9 Use only approved Azure services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Inventory and Asset Management 6.10 Implement approved application list Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in container security configurations should be remediated 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in container security configurations should be remediated 3.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Malware Defense 8.3 Ensure anti-malware software and signatures are updated Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Data Recovery 9.1 Ensure regular automated back ups Azure Backup should be enabled for Virtual Machines 1.0.1
Data Recovery 9.2 Perform complete system backups and backup any customer managed keys Azure Backup should be enabled for Virtual Machines 1.0.1

CIS Microsoft Azure Foundations Benchmark

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Security Center 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" System updates should be installed on your machines 3.0.0
Security Center 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Security Center 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Security Center 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Disk encryption should be applied on virtual machines 2.0.0
Security Center 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Security Center 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Internet-facing virtual machines should be protected with network security groups 3.0.0
Security Center 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Center 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Security Center 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Virtual Machines 7.1 Ensure that 'OS disk' are encrypted Disk encryption should be applied on virtual machines 2.0.0
Virtual Machines 7.2 Ensure that 'Data disks' are encrypted Disk encryption should be applied on virtual machines 2.0.0
Virtual Machines 7.3 Ensure that 'Unattached disks' are encrypted Unattached disks should be encrypted 1.0.0
Virtual Machines 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
Virtual Machines 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 3.0.0
Virtual Machines 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows web servers should be configured to use secure communication protocols 2.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Guest Configuration extension should be installed on your machines 1.0.1
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. The Log Analytics agent should be installed on virtual machines 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on virtual machines 1.0.0
Audit and Accountability AU.2.043 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Audit Windows machines that are not set to the specified time zone 1.0.0
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. The Log Analytics agent should be installed on virtual machines 1.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure security baseline 1.1.0-preview
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.069 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows web servers should be configured to use secure communication protocols 2.0.0
Incident Response IR.2.093 Detect and report events. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Azure Backup should be enabled for Virtual Machines 1.0.1
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Azure Backup should be enabled for Virtual Machines 1.0.1
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.2.179 Use encrypted sessions for the management of network devices. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Disk encryption should be applied on virtual machines 2.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Unattached disks should be encrypted 1.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have extra accounts in the Administrators group 1.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Disk encryption should be applied on virtual machines 2.0.0
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Unattached disks should be encrypted 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates should be installed on your machines 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI.1.212 Update malicious code protection mechanisms when new releases are available. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Monitor missing Endpoint Protection in Azure Security Center 3.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Privilege Management 11180.01c3System.6 - 01.c Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Privilege Management 1143.01c1System.123 - 01.c Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. Management ports should be closed on your virtual machines 3.0.0
Privilege Management 1148.01c2System.78 - 01.c The organization restricts access to privileged functions and all security-relevant information. Windows machines should meet requirements for 'Security Options - Accounts' 2.0.0
Privilege Management 1150.01c2System.10 - 01.c The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. Management ports should be closed on your virtual machines 3.0.0
User Authentication for External Connections 1119.01j2Organizational.3 - 01.j Network equipment is checked for unanticipated dial-up capabilities. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
User Authentication for External Connections 1175.01j1Organizational.8 - 01.j Remote access to business information across public networks only takes place after successful identification and authentication. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
User Authentication for External Connections 1179.01j3Organizational.1 - 01.j The information system monitors and controls remote access methods. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Remote Diagnostic and Configuration Port Protection 1192.01l1Organizational.1 - 01.l Access to network equipment is physically protected. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Remote Diagnostic and Configuration Port Protection 1193.01l2Organizational.13 - 01.l Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. Management ports should be closed on your virtual machines 3.0.0
Remote Diagnostic and Configuration Port Protection 1197.01l3Organizational.3 - 01.l The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. Internet-facing virtual machines should be protected with network security groups 3.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. Internet-facing virtual machines should be protected with network security groups 3.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Internet-facing virtual machines should be protected with network security groups 3.0.0
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
User Identification and Authentication 1123.01q1System.2 - 01.q Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. Audit Windows machines that have extra accounts in the Administrators group 1.0.0
User Identification and Authentication 1125.01q2System.1 - 01.q Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 1127.01q2System.3 - 01.q Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Audit Logging 1202.09aa1System.1 - 09.aa A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. System updates on virtual machine scale sets should be installed 3.0.0
Audit Logging 1206.09aa2System.23 - 09.aa Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised,  activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. Resource logs in Virtual Machine Scale Sets should be enabled 2.0.1
Monitoring System Use 12100.09ab2System.15 - 09.ab The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. The Log Analytics agent should be installed on virtual machines 1.0.0
Monitoring System Use 12101.09ab1Organizational.3 - 09.ab The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Monitoring System Use 12102.09ab1Organizational.4 - 09.ab The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Monitoring System Use 1215.09ab2System.7 - 09.ab Auditing and monitoring systems employed by the organization support audit reduction and report generation. The Log Analytics agent should be installed on virtual machines 1.0.0
Monitoring System Use 1216.09ab3System.12 - 09.ab Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Monitoring System Use 1217.09ab3System.3 - 09.ab Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Segregation of Duties 1232.09c3Organizational.12 - 09.c Access for individuals responsible for administering  access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Segregation of Duties 1277.09c2Organizational.4 - 09.c The initiation of an event is separated from its authorization to reduce the possibility of collusion. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Deploy default Microsoft IaaSAntimalware extension for Windows Server 1.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. System updates should be installed on your machines 3.0.0
Back-up 1620.09l1Organizational.8 - 09.l When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. Azure Backup should be enabled for Virtual Machines 1.0.1
Back-up 1625.09l3Organizational.34 - 09.l Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. Azure Backup should be enabled for Virtual Machines 1.0.1
Back-up 1699.09l1Organizational.10 - 09.l Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices. Azure Backup should be enabled for Virtual Machines 1.0.1
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Windows machines should meet requirements for 'Windows Firewall Properties' 2.0.0
Network Controls 0859.09m1Organizational.78 - 09.m The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Security of Network Services 0835.09n1Organizational.1 - 09.n Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. Network traffic data collection agent should be installed on Windows virtual machines 1.0.1-preview
Security of Network Services 0835.09n1Organizational.1 - 09.n Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Security of Network Services 0836.09.n2Organizational.1 - 09.n The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. Network traffic data collection agent should be installed on Linux virtual machines 1.0.1-preview
Security of Network Services 0885.09n2Organizational.3 - 09.n The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. Network traffic data collection agent should be installed on Linux virtual machines 1.0.1-preview
Security of Network Services 0887.09n2Organizational.5 - 09.n The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. Network traffic data collection agent should be installed on Windows virtual machines 1.0.1-preview
Management of Removable Media 0302.09o2Organizational.1 - 09.o The organization protects and controls media containing sensitive information during transport outside of controlled areas. Disk encryption should be applied on virtual machines 2.0.0
Management of Removable Media 0303.09o2Organizational.2 - 09.o Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use are identified. Unattached disks should be encrypted 1.0.0
On-line Transactions 0945.09y1Organizational.3 - 09.y Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). Audit Windows machines that do not contain the specified certificates in Trusted Root 1.0.1
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'Security Options - Audit' 2.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'System Audit Policies - Account Management' 2.0.0
Control of Operational Software 0606.10h2System.1 - 10.h Applications and operating systems are successfully tested for usability, security and impact prior to production. Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Change Control Procedures 0635.10k1Organizational.12 - 10.k Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0636.10k2Organizational.1 - 10.k The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0637.10k2Organizational.2 - 10.k The organization has developed, documented, and implemented a configuration management plan for the information system. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0638.10k2Organizational.34569 - 10.k Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0639.10k2Organizational.78 - 10.k Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0640.10k2Organizational.1012 - 10.k Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0641.10k2Organizational.11 - 10.k The organization does not use automated updates on critical systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0642.10k3Organizational.12 - 10.k The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0643.10k3Organizational.3 - 10.k The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0644.10k3Organizational.4 - 10.k The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Control of Technical Vulnerabilities 0711.10m2Organizational.23 - 10.m A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Control of Technical Vulnerabilities 0713.10m2Organizational.5 - 10.m Patches are tested and evaluated before they are installed. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Technical Vulnerabilities 0714.10m2Organizational.7 - 10.m The technical vulnerability management program is evaluated on a quarterly basis. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0715.10m2Organizational.8 - 10.m Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Technical Vulnerabilities 0717.10m3Organizational.2 - 10.m Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0718.10m3Organizational.34 - 10.m The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Business Continuity and Risk Assessment 1634.12b1Organizational.1 - 12.b The organization identifies the critical business processes requiring business continuity. Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity and Risk Assessment 1637.12b2Organizational.2 - 12.b Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. Windows machines should meet requirements for 'Security Options - Recovery console' 2.0.0
Business Continuity and Risk Assessment 1638.12b2Organizational.345 - 12.b Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. Audit virtual machines without disaster recovery configured 1.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 1.0.0
Access control 9.1.2 Access to networks and network services Audit VMs that do not use managed disks 1.0.0
Access control 9.1.2 Access to networks and network services Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Access control 9.1.2 Access to networks and network services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Access control 9.2.4 Management of secret authentication information of users Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Access control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Access control 9.4.3 Password management system Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Disk encryption should be applied on virtual machines 2.0.0
Operations security 12.4.1 Event Logging [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Operations security 12.4.1 Event Logging Audit Dependency agent deployment - VM Image (OS) unlisted 1.0.1
Operations security 12.4.1 Event Logging Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.4.1 Event Logging Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.4.3 Administrator and operator logs [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Operations security 12.4.3 Administrator and operator logs Audit Dependency agent deployment - VM Image (OS) unlisted 1.0.1
Operations security 12.4.3 Administrator and operator logs Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.4.3 Administrator and operator logs Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.4.4 Clock Synchronization [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Operations security 12.4.4 Clock Synchronization Audit Dependency agent deployment - VM Image (OS) unlisted 1.0.1
Operations security 12.4.4 Clock Synchronization Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.4.4 Clock Synchronization Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Operations security 12.5.1 Installation of software on operational systems Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities System updates should be installed on your machines 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Operations security 12.6.2 Restrictions on software installation Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Communications security 13.1.1 Network controls All network ports should be restricted on network security groups associated to your virtual machine 3.0.0

New Zealand ISM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand Information Security Manual. For more information about this compliance standard, see New Zealand Information Security Manual.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments Vulnerabilities in container security configurations should be remediated 3.0.0
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Product Security PRS-5 12.4.4 Patching vulnerabilities in products System updates on virtual machine scale sets should be installed 3.0.0
Product Security PRS-5 12.4.4 Patching vulnerabilities in products System updates should be installed on your machines 3.0.0
Software security SS-2 14.1.9 Maintaining hardened SOEs Deploy Dependency agent for Windows virtual machine scale sets 1.3.0
Software security SS-2 14.1.9 Maintaining hardened SOEs Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Software security SS-2 14.1.9 Maintaining hardened SOEs Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.0.0
Software security SS-2 14.1.9 Maintaining hardened SOEs Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Software security SS-4 14.2.4 Application Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Linux machines that have accounts without passwords 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Deploy Dependency agent for Windows virtual machines 1.3.0
Access Control and Passwords AC-2 16.1.32 System User Identification Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Deploy Dependency agent for Windows virtual machines 1.3.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Windows machines should meet requirements for 'Security Settings - Account Policies' 2.0.0
Access Control and Passwords AC-5 16.1.46 Suspension of access Deploy Dependency agent for Windows virtual machines 1.3.0
Access Control and Passwords AC-7 16.2.5 Protecting compartmented information on systems Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Deploy Dependency agent for Windows virtual machines 1.3.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control and Passwords AC-14 16.6.7 Content of system management logs [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Access Control and Passwords AC-14 16.6.7 Content of system management logs Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Access Control and Passwords AC-14 16.6.7 Content of system management logs Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Cryptography CR-2 17.1.46 Reducing storage and physical transfer requirements Disk encryption should be applied on virtual machines 2.0.0
Cryptography CR-6 17.4.16 Using TLS Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Cryptography CR-6 17.4.16 Using TLS Windows web servers should be configured to use secure communication protocols 2.0.0
Network security NS-2 18.1.13 Limiting network access Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network security NS-2 18.1.13 Limiting network access Internet-facing virtual machines should be protected with network security groups 3.0.0
Data management DM-4 20.3.10 Antivirus scans Deploy Dependency agent for Windows virtual machine scale sets 1.3.0
Data management DM-4 20.3.10 Antivirus scans Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Data management DM-4 20.3.10 Antivirus scans Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Data management DM-4 20.3.10 Antivirus scans Windows Defender Exploit Guard should be enabled on your machines 1.1.1
Data management DM-6 20.4.4 Database files Disk encryption should be applied on virtual machines 2.0.0
Data management DM-6 20.4.4 Database files Windows web servers should be configured to use secure communication protocols 2.0.0
Enterprise systems security ESS-3 22.1.26 Backup, Recovery Archiving and Data Remanence Audit virtual machines without disaster recovery configured 1.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics agent should be installed on virtual machines 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. The Log Analytics agent should be installed on Virtual Machine Scale Sets 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. The Log Analytics agent should be installed on virtual machines 1.0.0
Configuration Management 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.9 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Disk encryption should be applied on virtual machines 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates should be installed on your machines 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Monitor missing Endpoint Protection in Azure Security Center 3.0.0

NIST SP 800-53 R4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 R4. For more information about this compliance standard, see NIST SP 800-53 R4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Management | Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Audit and Accountability AU-12 Audit Generation [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
Audit and Accountability AU-12 Audit Generation Audit Log Analytics workspace for VM - Report Mismatch 1.0.1
Configuration Management CM-7 (2) Least Functionality | Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Least Functionality | Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.0.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 (3) Boundary Protection | Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 (4) Boundary Protection | External Telecommunications Services Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC-28 (1) Protection of Information at Rest | Cryptographic Protection Disk encryption should be applied on virtual machines 2.0.0
System and Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 (1) Malicious Code Protection | Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 (1) Malicious Code Protection | Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 1.0.1
System and Information Integrity SI-4 Information System Monitoring Audit Log Analytics workspace for VM - Report Mismatch 1.0.1

Next steps