lz policy effects across environments - oWretch/policy GitHub Wiki
Auto-generated Policy effect documentation across environments 'Platform', 'Landing Zones', 'Production', 'Decommissioned', 'Management', 'Corp', 'Connectivity', 'Sandbox', 'Identity' sorted by Policy category and Policy display name.
- managementGroups: Platform
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-MySQL |
| Policy Set | Enforce recommended guardrails for MySQL |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL |
| Type | Custom |
| Category | MySQL |
| Description | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-APIM |
| Policy Set | Enforce recommended guardrails for API Management |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM |
| Type | Custom |
| Category | API Management |
| Description | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContReg |
| Policy Set | Enforce recommended guardrails for Container Registry |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry |
| Type | Custom |
| Category | Container Registry |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-PostgreSQL |
| Policy Set | Enforce recommended guardrails for PostgreSQL |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL |
| Type | Custom |
| Category | PostgreSQL |
| Description | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVaultSup |
| Policy Set | Enforce additional recommended guardrails for Key Vault |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup |
| Type | Custom |
| Category | Key Vault |
| Description | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-RecoverySvc |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Recovery Services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-RecoveryServices |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-DataExpl |
| Policy Set | Enforce recommended guardrails for Data Explorer |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer |
| Type | Custom |
| Category | Azure Data Explorer |
| Description | This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring |
| Policy Set | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-EventGrid |
| Policy Set | Enforce recommended guardrails for Event Grid |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid |
| Type | Custom |
| Category | Event Grid |
| Description | This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-MachLearn |
| Policy Set | Enforce recommended guardrails for Machine Learning |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning |
| Type | Custom |
| Category | Machine Learning |
| Description | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ServiceBus |
| Policy Set | Enforce recommended guardrails for Service Bus |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus |
| Type | Custom |
| Category | Service Bus |
| Description | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Storage |
| Policy Set | Enforce recommended guardrails for Storage Account |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage |
| Type | Custom |
| Category | Storage |
| Description | This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Compute |
| Policy Set | Enforce recommended guardrails for Compute |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute |
| Type | Custom |
| Category | Compute |
| Description | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-VM |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Virtual Machines |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-VM |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContApps |
| Policy Set | Enforce recommended guardrails for Container Apps |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps |
| Type | Custom |
| Category | Container Apps |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
Assignment: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-SQL-AMA-PLT |
| Policy Set | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26 |
| Type | BuiltIn |
| Category | Security Center |
| Description | Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-Snet-Private-PLT |
| Policy | Subnets should be private |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837 |
| Type | BuiltIn |
| Category | Network |
| Description | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/DenyAction-DeleteUAMIAMA |
| Policy | Do not allow deletion of specified resource and resource type |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources |
| Type | Custom |
| Category | General |
| Description | This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect. |
Assignment: Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enable-AUM-Updates-PLT |
| Policy Set | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates |
| Type | Custom |
| Category | Security Center |
| Description | Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-ASR-PLT |
| Policy Set | Enforce enhanced recovery and backup policies |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup |
| Type | Custom |
| Category | Backup |
| Description | Enforce enhanced recovery and backup policies on assigned scopes. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Kubernetes |
| Policy Set | Enforce recommended guardrails for Kubernetes |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes |
| Type | Custom |
| Category | Kubernetes |
| Description | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-KeyMgmt |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Key Management |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-KeyManagement |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring |
| Policy Set | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the virtual machines (VMs) with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Synapse |
| Policy Set | Enforce recommended guardrails for Synapse workspaces |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse |
| Type | Custom |
| Category | Synapse |
| Description | This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-vmArc-ChangeTrack |
| Policy Set | Enable ChangeTracking and Inventory for Arc-enabled virtual machines |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1 |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-SQL |
| Policy Set | Enforce recommended guardrails for SQL and SQL Managed Instance |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL |
| Type | Custom |
| Category | SQL |
| Description | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-BotService |
| Policy Set | Enforce recommended guardrails for Bot Service |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService |
| Type | Custom |
| Category | Bot Service |
| Description | This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Network |
| Policy Set | Enforce recommended guardrails for Network and Networking services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network |
| Type | Custom |
| Category | Network |
| Description | This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-ChangeTrack |
| Policy Set | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-CosmosDb |
| Policy Set | Enforce recommended guardrails for Cosmos DB |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb |
| Type | Custom |
| Category | Cosmos DB |
| Description | This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-vmHybr-Monitoring |
| Policy Set | Enable Azure Monitor for Hybrid VMs with AMA |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the hybrid virtual machines with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-VirtualDesk |
| Policy Set | Enforce recommended guardrails for Virtual Desktop |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop |
| Type | Custom |
| Category | Desktop Virtualization |
| Description | This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault-PLT |
| Policy Set | Enforce recommended guardrails for Azure Key Vault |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault |
| Type | Custom |
| Category | Key Vault |
| Description | Enforce recommended guardrails for Azure Key Vault. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-OpenAI |
| Policy Set | Enforce recommended guardrails for Open AI (Cognitive Service) |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI |
| Type | Custom |
| Category | Cognitive Services |
| Description | This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-Encrypt-CMK |
| Policy Set | Deny or Audit resources without Encryption with a customer-managed key (CMK) |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK |
| Type | Custom |
| Category | Encryption |
| Description | Deny or Audit resources without Encryption with a customer-managed key (CMK) |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-AppServices |
| Policy Set | Enforce recommended guardrails for App Service |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices |
| Type | Custom |
| Category | App Service |
| Description | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-DataFactory |
| Policy Set | Enforce recommended guardrails for Data Factory |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory |
| Type | Custom |
| Category | Data Factory |
| Description | This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Storage |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Storage |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Storage |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-CogServ |
| Policy Set | Enforce recommended guardrails for Cognitive Services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices |
| Type | Custom |
| Category | Cognitive Services |
| Description | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-ChangeTrack |
| Policy Set | Enable ChangeTracking and Inventory for virtual machines |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354 |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-EventHub |
| Policy Set | Enforce recommended guardrails for Event Hub |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub |
| Type | Custom |
| Category | Event Hub |
| Description | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContInst |
| Policy Set | Enforce recommended guardrails for Container Instance |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance |
| Type | Custom |
| Category | Container Instances |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Automation |
| Policy Set | Enforce recommended guardrails for Automation Account |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation |
| Type | Custom |
| Category | Automation |
| Description | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-platform/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Web |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Web |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Web |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services. |
- managementGroups: Landing Zones
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-AppServices |
| Policy Set | Enforce recommended guardrails for App Service |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices |
| Type | Custom |
| Category | App Service |
| Description | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-forwarding |
| Policy | Network interfaces should disable IP forwarding |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900 |
| Type | BuiltIn |
| Category | Network |
| Description | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat |
| Policy | Configure Azure Defender to be enabled on SQL servers |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5 |
| Type | BuiltIn |
| Category | SQL |
| Description | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContApps |
| Policy Set | Enforce recommended guardrails for Container Apps |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps |
| Type | Custom |
| Category | Container Apps |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVaultSup |
| Policy Set | Enforce additional recommended guardrails for Key Vault |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup |
| Type | Custom |
| Category | Key Vault |
| Description | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-VirtualDesk |
| Policy Set | Enforce recommended guardrails for Virtual Desktop |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop |
| Type | Custom |
| Category | Desktop Virtualization |
| Description | This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-MgmtPorts-Internet |
| Policy | Management port access from the Internet should be blocked |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet |
| Type | Custom |
| Category | Network |
| Description | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. |
Assignment: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL-H224 |
| Policy Set | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509 |
| Type | Custom |
| Category | Encryption |
| Description | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Compute |
| Policy Set | Enforce recommended guardrails for Compute |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute |
| Type | Custom |
| Category | Compute |
| Description | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Network |
| Policy Set | Enforce recommended guardrails for Network and Networking services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network |
| Type | Custom |
| Category | Network |
| Description | This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-Encrypt-CMK |
| Policy Set | Deny or Audit resources without Encryption with a customer-managed key (CMK) |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK |
| Type | Custom |
| Category | Encryption |
| Description | Deny or Audit resources without Encryption with a customer-managed key (CMK) |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-RecoverySvc |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Recovery Services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-RecoveryServices |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-CogServ |
| Policy Set | Enforce recommended guardrails for Cognitive Services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices |
| Type | Custom |
| Category | Cognitive Services |
| Description | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-EventHub |
| Policy Set | Enforce recommended guardrails for Event Hub |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub |
| Type | Custom |
| Category | Event Hub |
| Description | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-ASR-LZ |
| Policy Set | Enforce enhanced recovery and backup policies |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup |
| Type | Custom |
| Category | Backup |
| Description | Enforce enhanced recovery and backup policies on assigned scopes. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-DataFactory |
| Policy Set | Enforce recommended guardrails for Data Factory |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory |
| Type | Custom |
| Category | Data Factory |
| Description | This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Synapse |
| Policy Set | Enforce recommended guardrails for Synapse workspaces |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse |
| Type | Custom |
| Category | Synapse |
| Description | This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-SQL |
| Policy Set | Enforce recommended guardrails for SQL and SQL Managed Instance |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL |
| Type | Custom |
| Category | SQL |
| Description | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Web |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Web |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Web |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Storage |
| Policy Set | Enforce recommended guardrails for Storage Account |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage |
| Type | Custom |
| Category | Storage |
| Description | This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-MachLearn |
| Policy Set | Enforce recommended guardrails for Machine Learning |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning |
| Type | Custom |
| Category | Machine Learning |
| Description | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-TDE |
| Policy | Deploy SQL DB transparent data encryption |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f |
| Type | BuiltIn |
| Category | SQL |
| Description | Enables transparent data encryption on SQL databases |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Privileged-AKS |
| Policy | Kubernetes cluster should not allow privileged containers |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4 |
| Type | BuiltIn |
| Category | Kubernetes |
| Description | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-CosmosDb |
| Policy Set | Enforce recommended guardrails for Cosmos DB |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb |
| Type | Custom |
| Category | Cosmos DB |
| Description | This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones. |
Assignment: Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enable-AUM-Updates-LZ |
| Policy Set | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates |
| Type | Custom |
| Category | Security Center |
| Description | Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
Assignment: Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup |
| Policy | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 |
| Type | BuiltIn |
| Category | Backup |
| Description | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-vmHybr-Monitoring |
| Policy Set | Enable Azure Monitor for Hybrid VMs with AMA |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the hybrid virtual machines with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-KeyMgmt |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Key Management |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-KeyManagement |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-BotService |
| Policy Set | Enforce recommended guardrails for Bot Service |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService |
| Type | Custom |
| Category | Bot Service |
| Description | This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-MySQL |
| Policy Set | Enforce recommended guardrails for MySQL |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL |
| Type | Custom |
| Category | MySQL |
| Description | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-VM |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Virtual Machines |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-VM |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AzSqlDb-Auditing |
| Policy | Configure SQL servers to have auditing enabled to Log Analytics workspace |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb |
| Type | BuiltIn |
| Category | SQL |
| Description | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-PostgreSQL |
| Policy Set | Enforce recommended guardrails for PostgreSQL |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL |
| Type | Custom |
| Category | PostgreSQL |
| Description | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-LoadBalance |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Load Balancing |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-LoadBalancing |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Load Balancing Services such as Load Balancer, Application Gateway, Traffic Manager, and Azure Front Door. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring |
| Policy Set | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the virtual machines (VMs) with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContInst |
| Policy Set | Enforce recommended guardrails for Container Instance |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance |
| Type | Custom |
| Category | Container Instances |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-vmArc-ChangeTrack |
| Policy Set | Enable ChangeTracking and Inventory for Arc-enabled virtual machines |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1 |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-ChangeTrack |
| Policy Set | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-HybridVM |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Hybrid VMs |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-HybridVM |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Arc-enabled Servers. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-APIM |
| Policy Set | Enforce recommended guardrails for API Management |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM |
| Type | Custom |
| Category | API Management |
| Description | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg |
| Policy | Subnets should have a Network Security Group |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg |
| Type | Custom |
| Category | Network |
| Description | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Esc-AKS |
| Policy | Kubernetes clusters should not allow container privilege escalation |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 |
| Type | BuiltIn |
| Category | Kubernetes |
| Description | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Audit-AppGW-WAF |
| Policy | Web Application Firewall (WAF) should be enabled for Application Gateway |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 |
| Type | BuiltIn |
| Category | Network |
| Description | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-OpenAI |
| Policy Set | Enforce recommended guardrails for Open AI (Cognitive Service) |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI |
| Type | Custom |
| Category | Cognitive Services |
| Description | This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS |
| Policy | Kubernetes clusters should be accessible only over HTTPS |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d |
| Type | BuiltIn |
| Category | Kubernetes |
| Description | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc |
Assignment: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-SQL-AMA-LZ |
| Policy Set | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26 |
| Type | BuiltIn |
| Category | Security Center |
| Description | Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-ChangeTrack |
| Policy Set | Enable ChangeTracking and Inventory for virtual machines |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354 |
| Type | BuiltIn |
| Category | ChangeTrackingAndInventory |
| Description | Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ContReg |
| Policy Set | Enforce recommended guardrails for Container Registry |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry |
| Type | Custom |
| Category | Container Registry |
| Description | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-NetworkChang |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Changes in Network Routing and Security |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-NetworkChanges |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative implements Azure Monitor Baseline Alerts to monitor alterations in Network Routing and Security, such as modifications to Route Tables and the removal of Network Security Groups. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring |
| Policy Set | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-EventGrid |
| Policy Set | Enforce recommended guardrails for Event Grid |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid |
| Type | Custom |
| Category | Event Grid |
| Description | This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-Snet-Private-LZ |
| Policy | Subnets should be private |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837 |
| Type | BuiltIn |
| Category | Network |
| Description | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Kubernetes |
| Policy Set | Enforce recommended guardrails for Kubernetes |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes |
| Type | Custom |
| Category | Kubernetes |
| Description | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Automation |
| Policy Set | Enforce recommended guardrails for Automation Account |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation |
| Type | Custom |
| Category | Automation |
| Description | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http |
| Policy | Secure transfer to storage accounts should be enabled |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9 |
| Type | BuiltIn |
| Category | Storage |
| Description | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault-LZ |
| Policy Set | Enforce recommended guardrails for Azure Key Vault |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault |
| Type | Custom |
| Category | Key Vault |
| Description | Enforce recommended guardrails for Azure Key Vault. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-DataExpl |
| Policy Set | Enforce recommended guardrails for Data Explorer |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer |
| Type | Custom |
| Category | Azure Data Explorer |
| Description | This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-ServiceBus |
| Policy Set | Enforce recommended guardrails for Service Bus |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus |
| Type | Custom |
| Category | Service Bus |
| Description | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET-LZ |
| Policy | Virtual networks should be protected by Azure DDoS Protection |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d |
| Type | BuiltIn |
| Category | Network |
| Description | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-landingzones/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Storage |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Storage |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Storage |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts. |
- managementGroups: Soli Deo Gloria
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Audit-ResourceRGLocation |
| Policy | Audit resource location matches resource group location |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a |
| Type | BuiltIn |
| Category | General |
| Description | Audit that the resource location matches its resource group location |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-Diag-Logs |
| Policy Set | Enable allLogs category group resource logging for supported resources to Log Analytics |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Audit-UnusedResources |
| Policy Set | Unused resources driving cost should be avoided |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization |
| Type | Custom |
| Category | Cost Optimization |
| Description | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. |
Assignment: Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-MDEndpointsAMA |
| Policy Set | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3 |
| Type | BuiltIn |
| Category | Security Center |
| Description | Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Enforce-ACSB |
| Policy Set | Enforce Azure Compute Security Benchmark compliance auditing |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB |
| Type | Custom |
| Category | Guest Configuration |
| Description | Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Audit-ZoneResiliency |
| Policy Set | [Preview]: Resources should be Zone Resilient |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5 |
| Type | BuiltIn |
| Category | Resilience |
| Description | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log |
| Policy | Configure Azure Activity logs to stream to specified Log Analytics workspace |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deny-UnmanagedDisk |
| Policy | Audit VMs that do not use managed disks |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d |
| Type | BuiltIn |
| Category | Compute |
| Description | This policy audits VMs that do not use managed disks |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-OssDb |
| Policy Set | Configure Advanced Threat Protection to be enabled on open-source relational databases |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e |
| Type | BuiltIn |
| Category | Security Center |
| Description | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-MDEndpoints |
| Policy Set | [Preview]: Deploy Microsoft Defender for Endpoint agent |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc |
| Type | BuiltIn |
| Category | Security Center |
| Description | Deploy Microsoft Defender for Endpoint agent on applicable images. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring |
| Policy Set | Microsoft cloud security benchmark |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 |
| Type | BuiltIn |
| Category | Security Center |
| Description | The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deny-Classic-Resources |
| Policy | Not allowed resource types |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
| Type | BuiltIn |
| Category | General |
| Description | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config-H224 |
| Policy Set | Deploy Microsoft Defender for Cloud configuration |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319 |
| Type | Custom |
| Category | Security Center |
| Description | Deploy Microsoft Defender for Cloud configuration |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Audit-TrustedLaunch |
| Policy Set | Audit virtual machines for Trusted Launch support |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch |
| Type | Custom |
| Category | Trusted Launch |
| Description | Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-SqlAtp |
| Policy Set | Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances |
| Policy Set Id | /providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97 |
| Type | BuiltIn |
| Category | Security Center |
| Description | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Notification |
| Policy Set | Deploy Azure Monitor Baseline Alerts - Notification Assets |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Notification-Assets |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Notification Assets for Azure Monitor Baseline Alerts. This includes the setup of an Alert Processing Rule and an Action Group to manage notifications and actions, along with a Notification Suppression Rule to manage alert notifications, as well as a Notification Suppression Rule to control alert notifications. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-SvcHealth |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Service Health |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-ServiceHealth |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Service Health Events such as Service issues, Planned maintenance, Health advisories, Security advisories, and Resource health. |
- managementGroups: Decommissioned
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-decommissioned/providers/Microsoft.Authorization/policyAssignments/Enforce-ALZ-Decomm |
| Policy Set | Enforce policies in the Decommissioned Landing Zone |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm |
| Type | Custom |
| Category | Decommissioned |
| Description | Enforce policies in the Decommissioned Landing Zone. |
- managementGroups: Management
Assignment: Configure Log Analytics workspace and automation account to centralize logs and monitoring
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics |
| Policy | Configure Log Analytics workspace and automation account to centralize logs and monitoring |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955 |
| Type | BuiltIn |
| Category | Monitoring |
| Description | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-management/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Management |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Management |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Management |
| Type | Custom |
| Category | Monitoring |
| Description | Initiative to deploy AMBA alerts relevant to the ALZ Management management group |
- managementGroups: Corp
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-corp/providers/Microsoft.Authorization/policyAssignments/Audit-PeDnsZones |
| Policy | Audit or Deny the creation of Private Link Private DNS Zones |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones |
| Type | Custom |
| Category | Network |
| Description | This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-corp/providers/Microsoft.Authorization/policyAssignments/Deny-HybridNetworking |
| Policy | Not allowed resource types |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
| Type | BuiltIn |
| Category | General |
| Description | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP-On-NIC |
| Policy | Network interfaces should not have public IPs |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114 |
| Type | BuiltIn |
| Category | Network |
| Description | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones |
| Policy Set | Configure Azure PaaS services to use private DNS zones |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones |
| Type | Custom |
| Category | Network |
| Description | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints |
| Policy Set | Public network access should be disabled for PaaS services |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints |
| Type | Custom |
| Category | Network |
| Description | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints |
- managementGroups: Connectivity
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-connectivity/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Connectivity |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Connectivity |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Connectivity |
| Type | Custom |
| Category | Monitoring |
| Description | This initiative deploys Azure Monitor Baseline Alerts to monitor Network components such as Azure Firewalls, ExpressRoute, VPN, and Private DNS Zones. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET-Con |
| Policy | Virtual networks should be protected by Azure DDoS Protection |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d |
| Type | BuiltIn |
| Category | Network |
| Description | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. |
- managementGroups: Sandbox
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-sandbox/providers/Microsoft.Authorization/policyAssignments/Enforce-ALZ-Sandbox |
| Policy Set | Enforce policies in the Sandbox Landing Zone |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox |
| Type | Custom |
| Category | Sandbox |
| Description | Enforce policies in the Sandbox Landing Zone. |
- managementGroups: Identity
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-AMBA-Identity |
| Policy Set | Deploy Azure Monitor Baseline Alerts for Identity |
| Policy Set Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policySetDefinitions/Alerting-Identity |
| Type | Custom |
| Category | Monitoring |
| Description | Initiative to deploy AMBA alerts relevant to the ALZ Identity management group |
Assignment: Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup |
| Policy | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 |
| Type | BuiltIn |
| Category | Backup |
| Description | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg |
| Policy | Subnets should have a Network Security Group |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg |
| Type | Custom |
| Category | Network |
| Description | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-identity/providers/Microsoft.Authorization/policyAssignments/Deny-MgmtPorts-Internet |
| Policy | Management port access from the Internet should be blocked |
| Policy Definition Id | /providers/Microsoft.Management/managementGroups/sdg/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet |
| Type | Custom |
| Category | Network |
| Description | This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. |
| Property | Value |
|---|---|
| Assignment Id | /providers/Microsoft.Management/managementGroups/sdg-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP |
| Policy | Not allowed resource types |
| Policy Definition Id | /providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
| Type | BuiltIn |
| Category | General |
| Description | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| API for FHIR |
Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. |
audit disabled |
audit disabled |
|||||||
| API Management |
API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| API Management |
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management services should use TLS version 1.2 Azure API Management service should use TLS version 1.2 |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| API Management |
API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| API Management |
API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
Azure API Management platform version should be stv2 Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 |
Audit Deny Disabled |
||||||||
| API Management |
Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Configuration |
App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. |
Deny Disabled Audit |
||||||||
| App Configuration |
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. |
AuditIfNotExists Disabled |
||||||||
| App Configuration |
Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| App Platform |
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |
Audit Deny Disabled |
||||||||
| App Service |
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
||||||||
| App Service |
App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
||||||||
| App Service |
App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
Audit Deny Disabled |
|||||||
| App Service |
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service apps should use managed identity Use a managed identity for enhanced authentication security |
AuditIfNotExists Disabled |
||||||||
| App Service |
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| App Service |
App Service certificates must be stored in Key Vault App Service (including Logic apps and Function apps) must use certificates stored in Key Vault |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. |
Deny Disabled Audit |
||||||||
| App Service |
App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| App Service |
App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. |
Deny Disabled Audit |
||||||||
| App Service |
AppService append enable https only setting to enforce https setting. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. |
Append Disabled |
||||||||
| App Service |
AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. |
Append Disabled |
||||||||
| App Service |
Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Modify Disabled |
Modify Disabled |
|||||||
| App Service |
Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| App Service |
Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| App Service |
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
||||||||
| App Service |
Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
||||||||
| App Service |
Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| App Service |
Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
Audit Deny Disabled |
|||||||
| App Service |
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should use managed identity Use a managed identity for enhanced authentication security |
AuditIfNotExists Disabled |
||||||||
| App Service |
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| App Service |
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit Deny Disabled |
||||||||
| Automanage |
Hotpatch should be enabled for Windows Server Azure Edition VMs Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Automation |
Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . |
Audit Disabled |
Audit Disabled |
|||||||
| Automation |
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Automation |
Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. |
Deny Disabled Audit |
||||||||
| Automation |
Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Automation |
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Automation |
Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Automation |
Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Automation |
Deploy Automation Account TotalJob Alert Policy to audit/deploy Automation Account TotalJob Alert |
deployIfNotExists disabled |
||||||||
| Azure Ai Services |
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Azure Ai Services |
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
Deny Disabled Audit |
|||||
| Azure Ai Services |
Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Azure Ai Services |
Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Azure Ai Services |
Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Azure Ai Services |
Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
||||||
| Azure Arc |
Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. |
DeployIfNotExists Disabled |
||||||||
| Azure Data Explorer |
Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Azure Data Explorer |
Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Azure Data Explorer |
Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . |
Modify Disabled |
Modify Disabled |
|||||||
| Azure Data Explorer |
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Azure Data Explorer |
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Azure Data Explorer |
Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |
Deny Disabled Audit |
||||||||
| Azure Databricks |
Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. |
Audit Deny Disabled |
||||||||
| Azure Databricks |
Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. |
Audit Deny Disabled |
||||||||
| Azure Databricks |
Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. |
Audit Deny Disabled |
||||||||
| Azure Databricks |
Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. |
Audit Disabled |
||||||||
| Azure Databricks |
Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. |
DeployIfNotExists Disabled |
||||||||
| Azure Databricks |
Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. |
DeployIfNotExists Disabled |
||||||||
| Azure Databricks |
Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. |
AuditIfNotExists Disabled |
||||||||
| Azure Update Manager |
Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
modify | modify | |||||||
| Azure Update Manager |
Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
modify | modify | |||||||
| Azure Update Manager |
Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
modify | modify | |||||||
| Azure Update Manager |
Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
modify | modify | |||||||
| Azure Update Manager |
Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
Audit Disabled |
||||||||
| Backup |
[Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. |
Deny Disabled Audit |
||||||||
| Backup |
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Backup |
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. |
DeployIfNotExists Disabled |
||||||||
| Backup |
[Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
[Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
[Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
[Preview]: Soft delete must be enabled for Recovery Services Vaults. This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete. |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
[Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete |
Audit Disabled |
Audit Disabled |
|||||||
| Backup |
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |
AuditIfNotExists Disabled |
||||||||
| Batch |
Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Batch |
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. |
DeployIfNotExists Disabled |
||||||||
| Batch |
Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. |
Deny Disabled Audit |
||||||||
| Batch |
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Bot Service |
Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Bot Service |
Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Bot Service |
Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Bot Service |
Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Bot Service |
Bot Service should have public network access disabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. |
Deny Disabled Audit |
||||||||
| Bot Service |
BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. |
Audit Disabled |
Audit Disabled |
|||||||
| Bot Service |
Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cache |
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Append Disabled |
||||||||
| Cache |
Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Append Disabled |
||||||||
| Cache |
Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit Deny Disabled |
||||||||
| Cache |
Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. |
Deny Disabled Audit |
||||||||
| Cache |
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. |
AuditIfNotExists Disabled |
||||||||
| Cache |
Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cache |
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit Deny Disabled |
||||||||
| ChangeTrackingAndInventory |
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| ChangeTrackingAndInventory |
Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Cognitive Services |
[Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Deny Disabled Audit |
||||||||
| Cognitive Services |
[Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. |
Audit Disabled |
||||||||
| Cognitive Services |
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Cognitive Services |
Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. |
Modify Disabled |
Modify Disabled |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. |
Modify Disabled |
Modify Disabled |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. |
DeployIfNotExists Disabled |
||||||||
| Cognitive Services |
Network ACLs should be restricted for Cognitive Services Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Outbound network access should be restricted for Cognitive Services Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Compute |
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. |
DeployIfNotExists Disabled |
||||||||
| Compute |
Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine |
deployIfNotExists | ||||||||
| Compute |
Deploy VM CPU Alert Policy to audit/deploy VM CPU Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Read Latency Alert Policy to audit/deploy VM dataDiskReadLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Space Alert Policy to audit/deploy VM data Disk Space Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Write Latency Alert Policy to audit/deploy VM dataDiskWriteLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM HeartBeat Alert Policy to audit/deploy VM HeartBeat Alert for all VMs in the subscription |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Memory Alert Policy to audit/deploy VM Memory Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Network Read Alert Policy to audit/deploy VM Network Read Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Network Write Alert Policy to audit/deploy VM Network Out Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Read Latency Alert Policy to audit/deploy VM OSDiskreadLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Space Alert Policy to audit/deploy VM OSDiskSpace Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Write Latency Alert Policy to audit/deploy VM OSDiskwriteLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Compute |
Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. |
Audit Disabled |
||||||||
| Compute |
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Compute |
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Compute |
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |
Audit Deny Disabled |
||||||||
| Container Apps |
Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Apps |
Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. |
Deny Disabled Audit |
||||||||
| Container Apps |
Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. |
Deny Disabled Audit |
||||||||
| Container Apps |
Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. |
Deny Disabled Audit |
||||||||
| Container Apps |
Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. |
Deny Disabled Audit |
||||||||
| Container Apps |
Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Instance |
Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Instance |
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Configure container registries to disable anonymous authentication. Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Container Registry |
Configure container registries to disable ARM audience token authentication. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Container Registry |
Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Container Registry |
Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. |
Modify Disabled |
Modify Disabled |
|||||||
| Container Registry |
Configure container registries to disable repository scoped access token. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Container Registry |
Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. |
DeployIfNotExists Disabled |
||||||||
| Container Registry |
Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Container Registry |
Container registries should have anonymous authentication disabled. Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should have ARM audience token authentication disabled. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should have repository scoped access token disabled. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Container Registry |
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Container Registry |
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. |
Audit Disabled |
||||||||
| Container Registry |
Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. |
Deny Disabled Audit |
||||||||
| Cosmos DB |
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Cosmos DB |
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. |
deny disabled audit |
deny disabled audit |
disabled deny audit |
||||||
| Cosmos DB |
Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. |
append | append | |||||||
| Cosmos DB |
Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| Cosmos DB |
Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. |
Modify Disabled |
Modify Disabled |
|||||||
| Cosmos DB |
Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. |
Modify Disabled |
Modify Disabled |
|||||||
| Cosmos DB |
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cosmos DB |
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cosmos DB |
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cosmos DB |
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cosmos DB |
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Cosmos DB |
Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Cosmos DB |
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. |
Audit Disabled |
||||||||
| Cosmos DB |
Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Cost Optimization |
Audit AHUB for eligible VMs Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. |
Audit Disabled |
||||||||
| Cost Optimization |
Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. |
Audit Disabled |
||||||||
| Cost Optimization |
Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. |
Audit Disabled |
||||||||
| Cost Optimization |
Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. |
Audit Disabled |
||||||||
| Data Box |
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
Modify Disabled |
Modify Disabled |
|||||||
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
DeployIfNotExists Disabled |
||||||||
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
DeployIfNotExists Disabled |
||||||||
| Data Factory |
Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. |
Deny Disabled Audit |
||||||||
| Data Factory |
SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Lake |
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Data Lake |
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Desktop Virtualization |
Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. |
Deny Disabled Audit |
||||||||
| Desktop Virtualization |
Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. |
Deny Disabled Audit |
||||||||
| Desktop Virtualization |
Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Desktop Virtualization |
Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. |
Modify Disabled |
Modify Disabled |
|||||||
| Desktop Virtualization |
Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Desktop Virtualization |
Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Grid |
Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Deny Disabled Audit |
||||||||
| Event Grid |
Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Grid |
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. |
Audit Disabled |
||||||||
| Event Grid |
Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Grid |
Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Deny Disabled Audit |
||||||||
| Event Grid |
Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Grid |
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. |
Audit Disabled |
||||||||
| Event Grid |
Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Grid |
Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Grid |
Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Grid |
Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. |
deployIfNotExists Disabled |
||||||||
| Event Grid |
Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. |
deployIfNotExists Disabled |
||||||||
| Event Grid |
Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Grid |
Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Hub |
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Hub |
Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Hub |
Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. |
Modify Disabled |
Modify Disabled |
|||||||
| Event Hub |
Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. |
DeployIfNotExists Disabled |
||||||||
| Event Hub |
Event Hub namespaces (Premium) should use a customer-managed key for encryption Event Hub namespaces (Premium) should use a customer-managed key for encryption. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Hub |
Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service |
Deny Disabled Audit |
||||||||
| Event Hub |
Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Event Hub |
Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. |
Audit Disabled |
Audit Disabled |
|||||||
| Event Hub |
Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. |
Deny Disabled Audit |
||||||||
| Event Hub |
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| General |
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. |
deny | ||||||||
| General |
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |
Audit Disabled |
||||||||
| General |
Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. |
Deny Disabled Audit |
||||||||
| Guest Configuration |
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. |
modify | ||||||||
| Guest Configuration |
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. |
deployIfNotExists | ||||||||
| Guest Configuration |
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. |
deployIfNotExists | ||||||||
| Guest Configuration |
Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |
AuditIfNotExists Disabled |
||||||||
| Guest Configuration |
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. |
AuditIfNotExists Disabled |
||||||||
| HDInsight |
Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. |
DeployIfNotExists Disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM CPU Alert Policy to audit/deploy VM CPU Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Data Disk Read Latency Alert Policy to audit/deploy VM dataDiskReadLatency Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Data Disk Space Alert Policy to audit/deploy VM data Disk Space Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Data Disk Write Latency Alert Policy to audit/deploy VM dataDiskWriteLatency Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Disconnected Alert Policy to Deploy Hybrid VM Disconnected Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM HeartBeat Alert Policy to audit/deploy VM HeartBeat Alert for all VMs in the subscription |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Memory Alert Policy to audit/deploy VM Memory Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Network Read Alert Policy to audit/deploy VM Nework Read Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM Network Write Alert Policy to audit/deploy VM Network Out Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM OS Disk Read Latency Alert Policy to audit/deploy VM OSDiskreadLatency Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM OS Disk Space Alert Policy to audit/deploy VM OSDiskSpace Alert |
deployIfNotExists disabled |
||||||||
| Hybrid Compute |
Deploy Hybrid VM OS Disk Write Latency Alert Policy to audit/deploy VM OSDiskwriteLatency Alert |
deployIfNotExists disabled |
||||||||
| Internet of Things |
Configure Azure Device Update for IoT Hub accounts to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. |
DeployIfNotExists Disabled |
||||||||
| Internet of Things |
Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. |
DeployIfNotExists Disabled |
||||||||
| Internet of Things |
Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. |
deployIfNotExists Disabled |
||||||||
| Internet of Things |
Deploy - Configure IoT Central to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. |
DeployIfNotExists Disabled |
||||||||
| Internet of Things |
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. |
Deny Disabled Audit |
||||||||
| Key Vault |
[Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. |
Modify Disabled |
Modify Disabled |
|||||||
| Key Vault |
Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. |
Deny Disabled Audit |
||||||||
| Key Vault |
Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink |
Audit Deny Disabled |
Audit Deny Disabled |
Audit Deny Disabled |
||||||
| Key Vault |
Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. |
Audit Disabled |
||||||||
| Key Vault |
Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. |
Disabled deny disabled audit |
Disabled deny disabled audit |
|||||||
| Key Vault |
Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. |
Audit deny disabled audit |
Audit deny disabled audit |
|||||||
| Key Vault |
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |
Disabled deny disabled audit |
Disabled deny disabled audit |
disabled deny audit |
||||||
| Key Vault |
Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. |
DeployIfNotExists Disabled |
||||||||
| Key Vault |
Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security |
Modify Disabled |
Modify Disabled |
|||||||
| Key Vault |
Deploy Activity Log Key Vault Delete Alert Policy to Deploy Activity Log Key Vault Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Key Vault |
Deploy Activity Log Managed HSMs Delete Alert Policy to Deploy Activity Log Managed HSMs Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Key Vault |
Deploy Key Vault Availability Alert Policy to audit/deploy KeyVault Availability Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Capacity Alert Policy to audit/deploy KeyVault Capacity Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Latency Alert Policy to audit/deploy KeyVault Latency Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Requests Alert Policy to audit/deploy KeyVault Requests Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Managed HSMs Availability Alert Policy to audit/deploy Managed HSMs Availability Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Managed HSMs Latency Alert Policy to audit/deploy Managed HSMs Latency Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |
Audit Deny Disabled |
Audit Deny Disabled |
Disabled Deny Audit |
||||||
| Key Vault |
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. |
Audit Deny Disabled |
Audit Deny Disabled |
Disabled Deny Audit |
||||||
| Key Vault |
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Audit Deny Disabled |
Audit Deny Disabled |
|||||||
| Key Vault |
Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Key Vault |
Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Key Vault |
Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Key Vault |
Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Audit Deny Disabled |
Audit Deny Disabled |
|||||||
| Key Vault |
Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Kubernetes |
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. |
AuditIfNotExists Disabled |
||||||||
| Kubernetes |
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. |
AuditIfNotExists Disabled |
||||||||
| Kubernetes |
Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. |
Audit Disabled |
Audit Disabled |
|||||||
| Kubernetes |
Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni |
Audit Disabled |
Audit Disabled |
|||||||
| Kubernetes |
Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks |
Audit Disabled |
||||||||
| Kubernetes |
Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Kubernetes |
Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. |
Deny Disabled Audit |
Deny Disabled Audit |
Deny Disabled Audit |
||||||
| Kubernetes |
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |
Audit Disabled |
||||||||
| Kubernetes |
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Kubernetes |
Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. |
DeployIfNotExists Disabled |
||||||||
| Kubernetes |
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
||||||
| Kubernetes |
Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Kubernetes |
Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Kubernetes |
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
Audit deny disabled audit |
||||||
| Kubernetes |
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
Audit deny disabled audit |
||||||
| Kubernetes |
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
Audit deny disabled audit |
||||||
| Kubernetes |
Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Kubernetes |
Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Kubernetes |
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc |
deny disabled audit |
Audit deny disabled audit |
|||||||
| Kubernetes |
Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
Audit deny disabled audit |
||||||
| Kubernetes |
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. |
Audit deny disabled audit |
||||||||
| Kubernetes |
Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
Audit deny disabled audit |
||||||
| Kubernetes |
Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Kubernetes |
Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed |
AuditIfNotExists Disabled |
||||||||
| Kubernetes |
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Logic Apps |
Configure Logic apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
DeployIfNotExists Disabled |
||||||||
| Logic Apps |
Logic app should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Deny Disabled Audit |
||||||||
| Logic Apps |
Logic apps should disable public network access Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint. |
Deny Disabled Audit |
||||||||
| Logic Apps |
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Machine Learning |
[Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry Only deploy Registry Models in the allowed Registry and that are not restricted. |
Deny Disabled |
Deny Disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
Azure Machine Learning Compute Instance should have idle shutdown. Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Machine Learning |
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Machine Learning |
Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning workspaces should use user-assigned managed identity Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. |
Modify Disabled |
Modify Disabled |
|||||||
| Machine Learning |
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. |
DeployIfNotExists Disabled |
||||||||
| Machine Learning |
Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. |
Modify Disabled |
Modify Disabled |
|||||||
| Machine Learning |
Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
||||||
| Managed Grafana |
Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. |
Deny Disabled Audit |
||||||||
| Managed Grafana |
Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. |
DeployIfNotExists Disabled |
||||||||
| Managed Identity |
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Managed Identity |
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Media Services |
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. |
DeployIfNotExists Disabled |
||||||||
| Media Services |
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. |
DeployIfNotExists Disabled |
||||||||
| Media Services |
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. |
DeployIfNotExists Disabled |
||||||||
| Migrate |
Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Monitoring |
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. |
AuditIfNotExists Disabled |
||||||||
| Monitoring |
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. |
Disabled AuditIfNotExists |
||||||||
| Monitoring |
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |
AuditIfNotExists Disabled |
||||||||
| Monitoring |
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |
AuditIfNotExists Disabled |
||||||||
| Monitoring |
Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Monitoring |
Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Deploy Activity Log LA Workspace Delete Alert Policy to Deploy Activity Log LA Workspace Delete Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Activity Log LA Workspace Regenerate Key Alert Policy to Deploy Activity Log LA Workspace Regenerate Key Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Activity Log Storage Account Delete Alert Policy to Deploy Activity Log Storage Account Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Monitoring |
Deploy AMBA Notification Assets Policy to deploy Action Group and Alert Processing Rule for all AMBA alerts |
deployIfNotExists | ||||||||
| Monitoring |
Deploy AMBA Notification Suppression Asset Policy to deploy empty and disabled suppression Alert Processing Rule for all AMBA alerts |
deployIfNotExists | ||||||||
| Monitoring |
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Monitoring |
Deploy LA Workspace Daily Cap Limit Reached Alert Policy to audit/deploy LA Workspace Daily Cap Limit Reached Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Resource Health Unhealthy Alert Policy to Deploy Resource Health Unhealthy Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Service Health Action Group Policy to deploy action group for Service Health alerts |
deployIfNotExists | ||||||||
| Monitoring |
Deploy Service Health Advisory Alert Policy to Deploy Service Health Advisory Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Service Health Incident Alert Policy to Deploy Service Health Incident Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Service Health Maintenance Alert Policy to Deploy Service Health Maintenance Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Deploy Service Health Security Advisory Alert Policy to Deploy Service Health Security Advisory Alert |
deployIfNotExists disabled |
||||||||
| Monitoring |
Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.community/communitytrainings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.network/vpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances. |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Monitoring |
Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces). |
SetByParameter Disabled AuditIfNotExists DeployIfNotExists |
||||||||
| Network |
[Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |
AuditIfNotExists Disabled |
||||||||
| Network |
Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Deny or Audit service endpoints on subnets This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Deny vNet peering cross subscription. This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope. |
Deny Disabled Audit |
||||||||
| Network |
Deploy Activity Log Azure FireWall Delete Alert Policy to Deploy Activity Log Azure Firewall Delete Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy Activity Log NSG Delete Alert Policy to Deploy Activity Log NSG Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy Activity Log Route Table Update Alert Policy to Deploy Activity Log Route Table Update Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy Activity Log VPN Gateway Delete Alert Policy to Deploy Activity Log VPN Gateway Delete Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy AFW FirewallHealth Alert Policy to audit/deploy Azure Firewall FirewallHealth Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy AFW SNATPortUtilization Alert Policy to audit/deploy Azure Firewall SNATPortUtilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ERG ExpressRoute Bits In Alert Policy to audit/deploy ER Gateway Connection BitsInPerSecond Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy ERG ExpressRoute Bits Out Alert Policy to audit/deploy ER Gateway Connection BitsOutPerSecond Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy ERG ExpressRoute CPU Utilization Alert Policy to audit/deploy ER Gateway Express Route CPU Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits Arp Availability Alert Policy to audit/deploy ExpressRoute Circuits Arp Availability Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits Bgp Availability Alert Policy to audit/deploy ExpressRoute Circuits Bgp Availability Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsInPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert Policy to audit/deploy ExpressRoute Circuits QosDropBitsOutPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Capacity Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Query Volume Alert Policy to audit/deploy Private DNS Zone Query Volume Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy PDNSZ Record Set Capacity Alert Policy to audit/deploy Private DNS Zone Record Set Capacity Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PDNSZ Registration Capacity Utilization Alert Policy to audit/deploy Private DNS Zone Registration Capacity Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy PIP Bytes in DDoS Attack Alert Policy to audit/deploy PIP Bytes in DDoS Attack Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
|||||||
| Network |
Deploy PIP DDoS Attack Alert Policy to audit/deploy PIP DDoS Attack Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy PIP Packets in DDoS Attack Alert Policy to audit/deploy PIP Packets in DDoS Attack Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
|||||||
| Network |
Deploy PIP VIP Availability Alert Policy to audit/deploy PIP VIP Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy VNet DDoS Attack Alert Policy to audit/deploy Virtual Network DDoS Attack Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Network |
Deploy VNetG Egress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Egress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Egress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG ExpressRoute Bits Per Second Alert Policy to audit/deploy Virtual Network Gateway Express Route Bits Per Second Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG ExpressRoute CPU Utilization Alert Policy to audit/deploy Virtual Network Gateway Express Route CPU Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Count Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Ingress Packet Drop Mismatch Alert Policy to audit/deploy Vnet Gateway Ingress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Tunnel Bandwidth Alert Policy to audit/deploy Virtual Network Gateway Tunnel Bandwidth Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VNetG Tunnel Egress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Egress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VNetG Tunnel Ingress Alert Policy to audit/deploy Virtual Network Gateway Tunnel Ingress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG BGP Peer Status Alert Policy to audit/deploy VPN Gateway BGP Peer Status Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Bandwidth Utilization Alert Policy to audit/deploy VPN Gateway Bandwidth Utilization Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Egress Alert Policy to audit/deploy VPN Gateway Egress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG Egress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Egress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Egress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Ingress Alert Policy to audit/deploy VPN Gateway Ingress Alert |
disabled deployIfNotExists |
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Count Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Count Alert |
deployIfNotExists disabled |
||||||||
| Network |
Deploy VPNG Ingress Packet Drop Mismatch Alert Policy to audit/deploy VPN Gateway Ingress Packet Drop Mismatch Alert |
deployIfNotExists disabled |
||||||||
| Network |
Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). |
Disabled Modify |
Disabled Modify |
|||||||
| Network |
Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. |
Disabled Modify |
Disabled Modify |
|||||||
| Network |
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. |
deny | deny | |||||||
| Network |
Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. |
deny | deny | |||||||
| Network |
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. |
deny | deny | |||||||
| Network |
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. |
AuditIfNotExists Disabled |
||||||||
| Network |
Subnets should have a Network Security Group This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Subnets should have a User Defined Route This policy denies the creation of a subnet without a User Defined Route (UDR). |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. |
Modify Disabled Audit |
Modify Disabled Audit |
|||||||
| Network |
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Network |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Networking |
Deploy ER Direct ExpressRoute RxLightLevel High Alert Policy to audit/deploy ER Direct RxLightLevel High Alert |
deployIfNotExists disabled |
||||||||
| Networking |
Deploy Frontdoor Backend Health Percentage Alert Policy to audit/deploy FrontDoor Backend Health Percentage Alert |
deployIfNotExists disabled |
||||||||
| Networking |
Deploy Frontdoor Backend Request Latency Alert Policy to audit/deploy Frontdoor Backend Request Latency Alert |
deployIfNotExists disabled |
||||||||
| Networking |
Deploy FrontDoor CDN Profile Origin Latency Alert Policy to audit/deploy FrontDoor CDN Profile Origin Latency Alert |
disabled deployIfNotExists |
||||||||
| Networking |
Deploy FrontDoor CDN Profile Percentage4XX Alert Policy to audit/deploy FrontDoor CDN Profile Percentage4XX Alert |
deployIfNotExists disabled |
||||||||
| Networking |
Deploy FrontDoor CDN Profile Percentage5XX Alert Policy to audit/deploy FrontDoor CDN Profile Percentage5XX Alert |
deployIfNotExists disabled |
||||||||
| Resilience |
[Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: App Service Plans should be Zone Redundant App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array or zonalAllocationPolicy is set to 'NoZones' or the sku is 'Basic' are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Data Explorer Clusters should be Zone Redundant Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure HDInsight should be Zone Aligned Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Azure Managed Grafana should be Zone Redundant Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Backup and Site Recovery should be Zone Redundant Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Backup Vaults should be Zone Redundant Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container App should be Zone Redundant Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container Instances should be Zone Aligned Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Container Registry should be Zone Redundant Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Cosmos Database Accounts should be Zone Redundant Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Event Hubs should be Zone Redundant Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Managed Disks should be Zone Resilient Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Public IP Prefixes should be Zone Resilient Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Service Bus should be Zone Redundant Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Service Fabric Clusters should be Zone Redundant Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Databases should be Zone Redundant SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Elastic database pools should be Zone Redundant SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: SQL Managed Instances should be Zone Redundant SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Storage Accounts should be Zone Redundant Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual Machine Scale Sets should be Zone Resilient Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual Machines should be Zone Aligned Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. |
Audit Deny Disabled |
||||||||
| Resilience |
[Preview]: Virtual network gateways should be Zone Redundant Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. |
Audit Deny Disabled |
||||||||
| Search |
Azure AI Search service should use a SKU that supports private link With supported SKUs of Azure AI Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Search |
Azure AI Search services should disable public network access Disabling public network access improves security by ensuring that your Azure AI Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Deny Disabled Audit |
||||||||
| Search |
Azure AI Search services should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure AI Search portal functionality since some features of the Portal use the GA API which does not support the parameter. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Search |
Azure AI Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| Search |
Configure Azure AI Search services to disable local authentication Disable local authentication methods so that your Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. |
Modify Disabled |
Modify Disabled |
|||||||
| Search |
Configure Azure AI Search services to disable public network access Disable public network access for your Azure AI Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Search |
Configure Azure AI Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure AI Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
DeployIfNotExists Disabled |
||||||||
| Search |
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
||||||
| Security Center |
[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| Security Center |
[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines |
DeployIfNotExists Disabled AuditIfNotExists |
||||||||
| Security Center |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. |
DeployIfNotExists Disabled AuditIfNotExists |
||||||||
| Security Center |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. |
DeployIfNotExists Disabled AuditIfNotExists |
||||||||
| Security Center |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines Deploys Microsoft Defender for Endpoint on applicable Windows VM images. |
DeployIfNotExists Disabled AuditIfNotExists |
||||||||
| Security Center |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
[Preview]: Linux virtual machines should use only signed and trusted boot components All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
[Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. |
Audit Disabled |
||||||||
| Security Center |
[Preview]: vTPM should be enabled on supported virtual machines Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. |
Audit Disabled |
||||||||
| Security Center |
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication |
AuditIfNotExists Disabled |
||||||||
| Security Center |
API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |
Audit Disabled |
||||||||
| Security Center |
Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers Audit MySQL flexible servers without Advanced Data Security |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers Audit PostgreSQL flexible servers without Advanced Data Security |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Azure Defender for open-source relational databases to be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender CSPM plan Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Azure Cosmos DB to be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure Microsoft Defender for SQL to be enabled on Synapse workspaces Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
||||||
| Security Center |
Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Security Center |
Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. |
DeployIfNotExists Disabled AuditIfNotExists |
DeployIfNotExists Disabled AuditIfNotExists |
|||||||
| Security Center |
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. |
deployIfNotExists | ||||||||
| Security Center |
Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts |
DeployIfNotExists Disabled |
||||||||
| Security Center |
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc |
AuditIfNotExists Disabled |
||||||||
| Security Center |
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. |
Audit Disabled |
||||||||
| Security Center |
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |
Audit Disabled |
||||||||
| Security Center |
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. |
DeployIfNotExists Disabled |
||||||||
| Security Center |
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration |
AuditIfNotExists Disabled |
||||||||
| Security Center |
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |
Disabled AuditIfNotExists |
||||||||
| Security Center |
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
System updates should be installed on your machines (powered by Update Center) Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |
AuditIfNotExists Disabled |
||||||||
| Security Center |
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol |
AuditIfNotExists Disabled |
||||||||
| Service Bus |
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Service Bus |
Azure Service Bus namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Service Bus |
Configure Azure Service Bus namespaces to disable local authentication Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. |
Modify Disabled |
Modify Disabled |
|||||||
| Service Bus |
Configure Service Bus namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. |
DeployIfNotExists Disabled |
||||||||
| Service Bus |
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Service Bus |
Service Bus Namespaces should disable public network access Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service |
Deny Disabled Audit |
||||||||
| Service Bus |
Service Bus namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Service Bus |
Service Bus Premium namespaces should use a customer-managed key for encryption Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. |
Audit Disabled |
Audit Disabled |
|||||||
| Service Fabric |
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |
Audit Deny Disabled |
||||||||
| Service Fabric |
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric |
Audit Deny Disabled |
||||||||
| SignalR |
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. |
Audit Disabled |
||||||||
| SignalR |
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink. |
DeployIfNotExists Disabled |
||||||||
| Site Recovery |
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Site Recovery |
Deploy RV ASR Health Monitoring Alerts Policy to audit/update Recovery Vault ASR Health Alerting to Azure monitor alerts |
modify disabled audit |
modify disabled audit |
modify disabled audit |
||||||
| Site Recovery |
Deploy RV Backup Health Monitoring Alerts Policy to audit/update Recovery Vault Backup Health Alerting to Azure monitor alerts |
modify disabled audit |
modify disabled audit |
modify disabled audit |
||||||
| SQL |
[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. |
Audit Disabled |
||||||||
| SQL |
A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |
AuditIfNotExists Disabled |
||||||||
| SQL |
A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |
AuditIfNotExists Disabled |
||||||||
| SQL |
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |
AuditIfNotExists Disabled |
||||||||
| SQL |
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
DeployIfNotExists Disabled |
||||||||
| SQL | **Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ** Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
DeployIfNotExists Disabled |
||||||||
| SQL |
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security |
AuditIfNotExists Disabled |
||||||||
| SQL |
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Azure SQL Database should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |
Deny Disabled Audit |
Audit Deny Disabled |
|||||||
| SQL |
Azure SQL Database should have Microsoft Entra-only authentication enabled Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. |
Audit Deny Disabled |
||||||||
| SQL |
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| SQL |
Azure SQL Database should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. |
Audit Deny Disabled |
||||||||
| SQL |
Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. |
Audit Deny Disabled |
||||||||
| SQL |
Azure SQL Managed Instances should disable public network access Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| SQL |
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| SQL |
Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
||||||||
| SQL |
Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
||||||
| SQL |
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
||||||
| SQL |
Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
||||||
| SQL |
Configure Azure Defender to be enabled on SQL servers Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
DeployIfNotExists | ||||||||
| SQL |
Configure Azure SQL Server to disable public network access Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. |
Modify Disabled |
Modify Disabled |
|||||||
| SQL |
Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. |
DeployIfNotExists | DeployIfNotExists | |||||||
| SQL |
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit Disabled |
||||||||
| SQL |
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit Disabled |
||||||||
| SQL |
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. |
Audit Disabled |
||||||||
| SQL |
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. |
Audit Disabled |
||||||||
| SQL |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. |
Audit Disabled |
||||||||
| SQL |
Infrastructure encryption should be enabled for Azure Database for MySQL servers Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| SQL |
MySQL database servers enforce SSL connections. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit Deny Disabled |
||||||||
| SQL |
MySQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
Disabled AuditIfNotExists |
||||||
| SQL |
PostgreSQL database servers enforce SSL connection. Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit Deny Disabled |
||||||||
| SQL |
PostgreSQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
Disabled AuditIfNotExists |
||||||
| SQL |
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |
Audit Disabled |
||||||||
| SQL |
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| SQL |
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| SQL |
Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. |
Deny Disabled Audit |
||||||||
| SQL |
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| SQL |
Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. |
Deny Disabled Audit |
||||||||
| SQL |
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| SQL |
SQL Managed Instance should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |
Audit Disabled |
||||||||
| SQL |
SQL Managed Instance should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |
Audit Deny Disabled |
||||||||
| SQL |
SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
DeployIfNotExists Disabled |
||||||||
| SQL |
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| SQL |
SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
DeployIfNotExists Disabled |
||||||||
| SQL |
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| SQL |
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |
AuditIfNotExists Disabled |
||||||||
| SQL |
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |
AuditIfNotExists Disabled |
||||||||
| SQL |
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |
AuditIfNotExists Disabled |
||||||||
| Stack HCI |
[Preview]: Azure Stack HCI servers should have consistently enforced application control policies At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. |
AuditIfNotExists Disabled Audit |
||||||||
| Stack HCI |
[Preview]: Azure Stack HCI servers should meet Secured-core requirements Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable. |
AuditIfNotExists Disabled Audit |
||||||||
| Stack HCI |
[Preview]: Azure Stack HCI systems should have encrypted volumes Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. |
AuditIfNotExists Disabled Audit |
||||||||
| Stack HCI |
[Preview]: Host and VM networking should be protected on Azure Stack HCI systems Protect data on the Azure Stack HCI hosts network and on virtual machine network connections. |
AuditIfNotExists Disabled Audit |
||||||||
| Storage |
Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage | **Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ** Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for blob groupID Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for blob_secondary groupID Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for dfs groupID Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for dfs_secondary groupID Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for file groupID Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for queue groupID Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for queue_secondary groupID Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for table groupID Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for table_secondary groupID Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure storage accounts to disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Configure your Storage account public access to be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Storage |
Deploy SA Availability Alert Policy to audit/deploy SA Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Storage |
Encryption for storage services should be enforced for Storage Accounts Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Local users should be restricted for Storage Accounts Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Storage |
Modify - Configure Azure File Sync to disable public network access The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Public network access should be disabled for Azure File Sync Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. |
Deny Disabled Audit |
||||||||
| Storage |
Queue Storage should use customer-managed key for encryption Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Resource Access Rules resource IDs should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Resource Access Rules Tenants should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit Deny Disabled |
||||||||
| Storage |
Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account encryption scopes should use double encryption for data at rest Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |
audit deny disabled |
Deny deny disabled audit |
|||||||
| Storage |
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage accounts should disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Deny Disabled Audit |
||||||||
| Storage |
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should have the specified minimum TLS version Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. |
Deny Disabled Audit |
||||||||
| Storage |
Storage accounts should prevent cross tenant object replication Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage Accounts should restrict CORS rules Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Storage |
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Audit Disabled |
Audit Disabled |
Disabled Audit |
||||||
| Storage |
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview |
AuditIfNotExists Disabled |
||||||||
| Storage |
Storage Accounts with SFTP enabled should be denied This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Table Storage should use customer-managed key for encryption Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Virtual network rules should be restricted for Storage Accounts Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Stream Analytics |
Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |
deny disabled audit |
deny disabled audit |
|||||||
| Stream Analytics |
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Synapse |
Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |
Deny Disabled Audit |
||||||||
| Synapse |
Azure Synapse workspaces should allow outbound data traffic only to approved targets Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Azure Synapse workspaces should disable public network access Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Deny Disabled Audit |
||||||||
| Synapse |
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
Configure Azure Synapse workspaces to disable public network access Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
IP firewall rules on Azure Synapse workspaces should be removed Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. |
Audit Disabled |
Audit Disabled |
|||||||
| Synapse |
Managed workspace virtual network on Azure Synapse workspaces should be enabled Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Synapse Workspaces should have Microsoft Entra-only authentication enabled Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Audit Deny Disabled |
||||||||
| Synapse |
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Trusted Launch |
Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch |
Audit Disabled |
||||||||
| Trusted Launch |
Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch |
Audit Disabled |
||||||||
| Unknown |
Deploy AGW ApplicationGatewayTotalTime Alert Policy to audit/deploy Azure Application Gateway ApplicationGatewayTotalTime Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW BackendLastByteResponseTime Alert Policy to audit/deploy Azure Application Gateway BackendLastByteResponseTime Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW Capacity Units Alert Policy to audit/deploy Azure Application Gateway CapacityUnits Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW Compute Units Alert Policy to audit/deploy Azure Application Gateway ComputeUnits Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW CPU Utilization Alert Policy to audit/deploy Azure Application Gateway CPU Utilization Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW FailedRequests Alert Policy to audit/deploy Azure Application Gateway FailedRequests Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW ResponseStatus Alert Policy to audit/deploy Azure Application Gateway ResponseStatus Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy AGW Unhealthy Host Count Alert Policy to audit/deploy Azure Application Gateway Unhealthy Host Count Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ALB Data Path Availability Alert Policy to audit/deploy Azure Load Balancer Data Path Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy ALB Global Backend Availability Alert Policy to audit/deploy Azure Load Balancer Global Backend Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy ALB Health Probe Status Alert Policy to audit/deploy Azure Load Balancer Health Probe Status Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy ALB Used SNAT Ports Alert Policy to audit/deploy Azure Load Balancer Used SNAT Ports Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy App Service Plan CPU Percentage Alert Policy to audit/deploy App Service Plan CPU Percentage Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy App Service Plan Memory Percentage Alert Policy to audit/deploy App Service Plan Memory Percentage Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Unknown |
Deploy ER Direct ExpressRoute Bits In Alert Policy to audit/deploy ER Direct Connection BitsInPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ER Direct ExpressRoute Bits Out Alert Policy to audit/deploy ER Direct Connection BitsOutPerSecond Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ER Direct ExpressRoute LineProtocol Alert Policy to audit/deploy ER Direct LineProtocol Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ER Direct ExpressRoute RxLightLevel Low Alert Policy to audit/deploy ER Direct RxLightLevel Low Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ER Direct ExpressRoute TxLightLevel High Alert Policy to audit/deploy ER Direct TxLightLevel High Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy ER Direct ExpressRoute TxLightLevel Low Alert Policy to audit/deploy ER Direct TxLightLevel Low Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy FrontDoor CDN Profile Origin Health Percentage Alert Policy to audit/deploy FrontDoor Origin Health Percentage Alert |
deployIfNotExists disabled |
||||||||
| Unknown |
Deploy Traffic Manager Endpoint Health Alert Policy to audit/deploy FTraffic Manager Endpoint Health Health Alert |
deployIfNotExists disabled |
||||||||
| VM Image Builder |
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. |
Audit Disabled |
||||||||
| Web PubSub |
Configure Azure Web PubSub Service to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. |
DeployIfNotExists Disabled |
||||||||
| Web Services |
Deploy App Service Plan Disk Queue Length Alert Policy to audit/deploy App Service Plan Disk Queue Length Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Web Services |
Deploy App Service Plan Http Queue Length Alert Policy to audit/deploy App Service Plan Http Queue Length Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| API Management |
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |
aPIManagementServicesShouldUseAVirtualN... = ["Developer", "Premium"]
|
||||||||
| App Configuration |
Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. |
azureAppPrivateDnsZoneId = --DNSZonePrefix--privatelink.azconfig.io
|
||||||||
| App Service |
AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. |
AppServiceminTlsVersion = 1.2
|
||||||||
| App Service |
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. |
azureAppServicesPrivateDnsZoneId = --DNSZonePrefix--privatelink.azurewebsi...
|
||||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
azureAutomationWebhookPrivateDnsZoneId = --DNSZonePrefix--privatelink.azure-auto...
|
||||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
azureAutomationDSCHybridPrivateDnsZoneId = --DNSZonePrefix--privatelink.azure-auto...
|
||||||||
| Automation |
Deploy Automation Account TotalJob Alert Policy to audit/deploy Automation Account TotalJob Alert |
AATotalJobAlertWindowSize = PT5MAATotalJobAlertAlertState = trueAATotalJobAlertEvaluationFrequency = PT1MAATotalJobAlertSeverity = 2AATotalJobAlertThreshold = 20
|
||||||||
| Azure Arc |
Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. |
azureArcGuestconfigurationPrivateDnsZoneId = --DNSZonePrefix--privatelink.guestconfi...azureArcHybridResourceProviderPrivateDn... = --DNSZonePrefix--privatelink.his.arc.az...azureArcKubernetesConfigurationPrivateD... = --DNSZonePrefix--privatelink.dp.kuberne...
|
||||||||
| Azure Databricks |
Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. |
azureDatabricksPrivateDnsZoneId = --DNSZonePrefix--privatelink.azuredatab...
|
||||||||
| Azure Update Manager |
Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
assessmentMode = AutomaticByPlatformlocations = []tagOperator = AnytagValues = {}
|
assessmentMode = AutomaticByPlatformlocations = []tagOperator = AnytagValues = {}
|
|||||||
| Backup |
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. |
azureSiteRecoveryQueuePrivateDnsZoneID = --DNSZonePrefix--privatelink.queue.core...azureSiteRecoveryBlobPrivateDnsZoneID = --DNSZonePrefix--privatelink.blob.core....azureSiteRecoveryBackupPrivateDnsZoneID = --DNSZonePrefix--privatelink.--REGION-S...
|
||||||||
| Backup |
[Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. |
checkLockedImmutabilityOnly = false
|
checkLockedImmutabilityOnly = false
|
|||||||
| Backup |
[Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete |
checkAlwaysOnSoftDeleteOnly = false
|
checkAlwaysOnSoftDeleteOnly = false
|
|||||||
| Batch |
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. |
azureBatchPrivateDnsZoneId = --DNSZonePrefix--privatelink.batch.azur...
|
||||||||
| Batch |
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
diagnosticsLogsInBatchAccountRetentionDays = 1
|
||||||||
| Bot Service |
Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. |
azureBotServicePrivateDnsZoneId = --DNSZonePrefix--privatelink.directline...
|
||||||||
| Cache |
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
RedisMinTlsVersion = 1.2
|
||||||||
| Cache |
Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. |
azureRedisCachePrivateDnsZoneId = --DNSZonePrefix--privatelink.redis.cach...
|
||||||||
| ChangeTrackingAndInventory |
Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. |
listOfApplicableLocations = ["australiacentral", "australiacentral2...
|
listOfApplicableLocations = ["australiacentral", "australiacentral2...
|
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. |
azureCognitiveServicesPrivateDnsZoneId = --DNSZonePrefix--privatelink.cognitives...
|
||||||||
| Compute |
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. |
azureDiskAccessPrivateDnsZoneId = --DNSZonePrefix--privatelink.blob.core....
|
||||||||
| Compute |
Deploy VM CPU Alert Policy to audit/deploy VM CPU Alert |
VMPercentCPUThreshold = 85VMPercentCPUOperator = GreaterThanVMPercentCPUAlertState = trueVMPercentCPUFailingPeriods = 1VMPercentCPUAutoResolveTime = 00:10:00VMPercentCPUTimeAggregation = CountVMPercentCPUWindowSize = PT15MVMPercentCPUAutoMitigate = trueVMPercentCPUAutoResolve = trueVMPercentCPUEvaluationFrequency = PT5MVMPercentCPUAlertSeverity = 2
|
VMPercentCPUThreshold = 85VMPercentCPUOperator = GreaterThanVMPercentCPUAlertState = trueVMPercentCPUFailingPeriods = 1VMPercentCPUAutoResolveTime = 00:10:00VMPercentCPUTimeAggregation = CountVMPercentCPUWindowSize = PT15MVMPercentCPUAutoMitigate = trueVMPercentCPUAutoResolve = trueVMPercentCPUEvaluationFrequency = PT5MVMPercentCPUAlertSeverity = 2
|
|||||||
| Compute |
Deploy VM Data Disk Read Latency Alert Policy to audit/deploy VM dataDiskReadLatency Alert |
VMDataDiskReadLatencyEvaluationPeriods = 1VMDataDiskReadLatencyEvaluationFrequency = PT5MVMDataDiskReadLatencyWindowSize = PT15MVMDataDiskReadLatencyThreshold = 30VMDataDiskReadLatencyAutoResolve = trueVMDataDiskReadLatencyAlertSeverity = 2VMDataDiskReadLatencyOperator = GreaterThanVMDataDiskReadLatencyTimeAggregation = CountVMDataDiskReadLatencyAutoResolveTime = 00:10:00VMDataDiskReadLatencyComputersToInclude = ["*"]VMDataDiskReadLatencyAlertState = trueVMDataDiskReadLatencyAutoMitigate = trueVMDataDiskReadLatencyFailingPeriods = 1
|
VMDataDiskReadLatencyEvaluationPeriods = 1VMDataDiskReadLatencyEvaluationFrequency = PT5MVMDataDiskReadLatencyWindowSize = PT15MVMDataDiskReadLatencyThreshold = 30VMDataDiskReadLatencyAutoResolve = trueVMDataDiskReadLatencyAlertSeverity = 2VMDataDiskReadLatencyOperator = GreaterThanVMDataDiskReadLatencyTimeAggregation = CountVMDataDiskReadLatencyAutoResolveTime = 00:10:00VMDataDiskReadLatencyComputersToInclude = ["*"]VMDataDiskReadLatencyAlertState = trueVMDataDiskReadLatencyAutoMitigate = trueVMDataDiskReadLatencyFailingPeriods = 1
|
|||||||
| Compute |
Deploy VM Data Disk Space Alert Policy to audit/deploy VM data Disk Space Alert |
VMDataDiskSpaceEvaluationPeriods = 1VMDataDiskSpaceFailingPeriods = 1VMDataDiskSpaceAlertSeverity = 2VMDataDiskSpaceAutoResolve = trueVMDataDiskSpaceOperator = GreaterThanVMDataDiskSpaceWindowSize = PT15MVMDataDiskSpaceAutoMitigate = trueVMDataDiskSpaceThreshold = 10VMDataDiskSpaceAlertState = trueVMDataDiskSpaceTimeAggregation = CountVMDataDiskSpaceComputersToInclude = ["*"]VMDataDiskSpaceEvaluationFrequency = PT5MVMDataDiskSpaceAutoResolveTime = 00:10:00
|
VMDataDiskSpaceEvaluationPeriods = 1VMDataDiskSpaceFailingPeriods = 1VMDataDiskSpaceAlertSeverity = 2VMDataDiskSpaceAutoResolve = trueVMDataDiskSpaceOperator = GreaterThanVMDataDiskSpaceWindowSize = PT15MVMDataDiskSpaceAutoMitigate = trueVMDataDiskSpaceThreshold = 10VMDataDiskSpaceAlertState = trueVMDataDiskSpaceTimeAggregation = CountVMDataDiskSpaceComputersToInclude = ["*"]VMDataDiskSpaceEvaluationFrequency = PT5MVMDataDiskSpaceAutoResolveTime = 00:10:00
|
|||||||
| Compute |
Deploy VM Data Disk Write Latency Alert Policy to audit/deploy VM dataDiskWriteLatency Alert |
VMDataDiskWriteLatencyAlertSeverity = 2VMDataDiskWriteLatencyWindowSize = PT15MVMDataDiskWriteLatencyEvaluationPeriods = 1VMDataDiskWriteLatencyThreshold = 30VMDataDiskWriteLatencyComputersToInclude = ["*"]VMDataDiskWriteLatencyAutoResolve = trueVMDataDiskWriteLatencyFailingPeriods = 1VMDataDiskWriteLatencyTimeAggregation = CountVMDataDiskWriteLatencyAutoResolveTime = 00:10:00VMDataDiskWriteLatencyAutoMitigate = trueVMDataDiskWriteLatencyOperator = GreaterThanVMDataDiskWriteLatencyEvaluationFrequency = PT5MVMDataDiskWriteLatencyAlertState = true
|
VMDataDiskWriteLatencyAlertSeverity = 2VMDataDiskWriteLatencyWindowSize = PT15MVMDataDiskWriteLatencyEvaluationPeriods = 1VMDataDiskWriteLatencyThreshold = 30VMDataDiskWriteLatencyComputersToInclude = ["*"]VMDataDiskWriteLatencyAutoResolve = trueVMDataDiskWriteLatencyFailingPeriods = 1VMDataDiskWriteLatencyTimeAggregation = CountVMDataDiskWriteLatencyAutoResolveTime = 00:10:00VMDataDiskWriteLatencyAutoMitigate = trueVMDataDiskWriteLatencyOperator = GreaterThanVMDataDiskWriteLatencyEvaluationFrequency = PT5MVMDataDiskWriteLatencyAlertState = true
|
|||||||
| Compute |
Deploy VM HeartBeat Alert Policy to audit/deploy VM HeartBeat Alert for all VMs in the subscription |
VMHeartBeatRGAlertSeverity = 1VMHeartBeatRGComputersToInclude = ["*"]ALZMonitorResourceGroupLocation = eastusVMHeartBeatRGTimeAggregation = CountVMHeartBeatRGEvaluationFrequency = PT5MVMHeartBeatRGAutoResolveTime = 00:10:00VMHeartBeatRGAutoResolve = trueVMHeartBeatRGAlertState = trueVMHeartBeatRGAutoMitigate = trueVMHeartBeatRGFailingPeriods = 1VMHeartBeatRGOperator = GreaterThanVMHeartBeatRGWindowSize = PT6HVMHeartBeatRGThreshold = 10ALZMonitorResourceGroupName = rg-amba-monitoring-001ALZMonitorResourceGroupTags = {"Project":"amba-monitoring"}
|
VMHeartBeatRGAlertSeverity = 1VMHeartBeatRGComputersToInclude = ["*"]VMHeartBeatRGTimeAggregation = CountVMHeartBeatRGEvaluationFrequency = PT5MVMHeartBeatRGAutoResolveTime = 00:10:00VMHeartBeatRGAutoResolve = trueVMHeartBeatRGAlertState = trueVMHeartBeatRGAutoMitigate = trueVMHeartBeatRGFailingPeriods = 1VMHeartBeatRGOperator = GreaterThanVMHeartBeatRGWindowSize = PT6HVMHeartBeatRGThreshold = 10
|
|||||||
| Compute |
Deploy VM Memory Alert Policy to audit/deploy VM Memory Alert |
VMPercentMemoryAlertState = trueVMPercentMemoryOperator = GreaterThanVMPercentMemoryWindowSize = PT15MVMPercentMemoryFailingPeriods = 1VMPercentMemoryEvaluationFrequency = PT5MVMPercentMemoryAutoMitigate = trueVMPercentMemoryThreshold = 10VMPercentMemoryAlertSeverity = 2VMPercentMemoryTimeAggregation = CountVMPercentMemoryAutoResolve = trueVMPercentMemoryAutoResolveTime = 00:10:00
|
VMPercentMemoryAlertState = trueVMPercentMemoryOperator = GreaterThanVMPercentMemoryWindowSize = PT15MVMPercentMemoryFailingPeriods = 1VMPercentMemoryEvaluationFrequency = PT5MVMPercentMemoryAutoMitigate = trueVMPercentMemoryThreshold = 10VMPercentMemoryAlertSeverity = 2VMPercentMemoryTimeAggregation = CountVMPercentMemoryAutoResolve = trueVMPercentMemoryAutoResolveTime = 00:10:00
|
|||||||
| Compute |
Deploy VM Network Read Alert Policy to audit/deploy VM Network Read Alert |
VMNetworkInAutoMitigate = trueVMNetworkInAlertState = trueVMNetworkInWindowSize = PT15MVMNetworkInEvaluationFrequency = PT5MVMNetworkInTimeAggregation = CountVMNetworkInAutoResolve = trueVMNetworkInComputersToInclude = ["*"]VMNetworkInAutoResolveTime = 00:10:00VMNetworkInThreshold = 10000000VMNetworkInOperator = GreaterThanVMNetworkInAlertSeverity = 2VMNetworkInEvaluationPeriods = 1VMNetworkInFailingPeriods = 1
|
VMNetworkInAutoMitigate = trueVMNetworkInAlertState = trueVMNetworkInWindowSize = PT15MVMNetworkInEvaluationFrequency = PT5MVMNetworkInTimeAggregation = CountVMNetworkInAutoResolve = trueVMNetworkInComputersToInclude = ["*"]VMNetworkInAutoResolveTime = 00:10:00VMNetworkInThreshold = 10000000VMNetworkInOperator = GreaterThanVMNetworkInAlertSeverity = 2VMNetworkInEvaluationPeriods = 1VMNetworkInFailingPeriods = 1
|
|||||||
| Compute |
Deploy VM Network Write Alert Policy to audit/deploy VM Network Out Alert |
VMNetworkOutEvaluationPeriods = 1VMNetworkOutAutoMitigate = trueVMNetworkOutEvaluationFrequency = PT5MVMNetworkOutAutoResolveTime = 00:10:00VMNetworkOutAutoResolve = trueVMNetworkOutComputersToInclude = ["*"]VMNetworkOutTimeAggregation = CountVMNetworkOutAlertSeverity = 2VMNetworkOutFailingPeriods = 1VMNetworkOutThreshold = 10000000VMNetworkOutOperator = GreaterThanVMNetworkOutAlertState = trueVMNetworkOutWindowSize = PT15M
|
VMNetwo |