| Source | Azure Portal | ||||||||||||||||||||||
| Display name | Microsoft Managed Control 1222 - Information System Component Inventory | ||||||||||||||||||||||
| Id | fb39e62f-6bda-4558-8088-ec03d5670914 | ||||||||||||||||||||||
| Version | 1.0.0 Details on versioning |
||||||||||||||||||||||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||||||||||||||||||||||
| Category | Regulatory Compliance Microsoft Learn |
||||||||||||||||||||||
| Description | Microsoft implements this Configuration Management control | ||||||||||||||||||||||
| Additional metadata |
Name/Id: ACF1222 / Microsoft Managed Control 1222 Category: Configuration Management Title: Information System Component Inventory - Accurate Reality, Granularity, And Accountability Ownership: Customer, Microsoft Description: The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes Unique asset identifier, NetBIOS name, Baseline configuration name, OS Name, IP address, Host Name, Server Name, Property Group, Serial Number, MS Asset Number, Datacenter, Collocation, Location Zone, Rack, Rack Slot Number, Environment, Manufacturer, Model, Platform Operating System, and Function; and Requirements: After collecting inventory information from the below sources and teams, Azure consolidates the information and performs month-over-month data analysis and reconciliation. Any changes to, additions to, or removals from the inventory are identified, verified, and explained. This data is stored within the Kusto and Cosmos tools. For all asset types, the inventory is consistent with the authorization boundary because it is kept up to date with new installations and decommissioning of devices. The inventory of logical assets are tracked in service Privacy Review documentation, which is reviewed as a part of the regular privacy review, or when there is a new component being reviewed as a part of the new feature Privacy Review. The Privacy Review documentation also maintains the retention requirements of the data as per regulatory requirements. The inventory of all assets for Azure services must be maintained by and are obtained from the service owners using the following methods. Servers Physical inventory data is pulled daily from nine different sources, both available to customers and internal tools. These sources include MS Asset, DCMT, Cockpit, VMAC, Intune, Active Directory (AD), DNS, Network Graph Service (NGS), and Fabric2. These sources are maintained by each individual service team. # Host The Host inventory consists of nodes which have VM containers running on top of them. Nodes are differentiated by the type of work they do. If a node hosts virtual machines, then it is a Host node. If a node doesn't have virtual machines and the entire node is in use, then it is a Native node. Host inventory data is generated automatically using subscription data. # Native Native data is generated automatically using subscription data. # Infraguest Infraguest data is generated from subscriptions within Service Tree and the SQL team. Those subscriptions are then used to query Geneva Actions; each service team owns Azure subscriptions, and Geneva Actions generates reports showing all of the virtual machines belonging to each subscription ID. # Bare Metal The Bare Metal server inventory is defined as physical servers without virtual machines running on top. The inventory mapping is done through Service Tree. All MSAsset assets are assigned a Property Group and Property Dimension. These are assigned the ownership. Service Tree takes the owner associated and assigns a service based on the owner’s division. # Pilotfish Pilotfish data is generated from the Pilotfish team, which provides a web service that the Inventory team queries to get the data. Network Devices Network data is populated from streams from the Azure Networking team. The Azure Networking team provides device data in Kusto which is processed by the Inventory team to add other attributes like Service Tree Name and asset identifier. # Databases Database information is calculated based upon the inventory of physical and virtual servers received from each team. # Web Endpoints Web endpoints are manually provided by each service team. |
||||||||||||||||||||||
| Mode | Indexed | ||||||||||||||||||||||
| Type | Static | ||||||||||||||||||||||
| Preview | False | ||||||||||||||||||||||
| Deprecated | False | ||||||||||||||||||||||
| Effect | Fixed audit |
||||||||||||||||||||||
| RBAC role(s) | none | ||||||||||||||||||||||
| Rule aliases | none | ||||||||||||||||||||||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||||||||||||||||||||||
| Compliance |
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1222 - Information System Component Inventory' (fb39e62f-6bda-4558-8088-ec03d5670914)
| ||||||||||||||||||||||
| Initiatives usage |
|
||||||||||||||||||||||
| History | none | ||||||||||||||||||||||
| JSON compare | n/a | ||||||||||||||||||||||
| JSON |
|