AzInitiativeAdvertizer

last sync: 2024-Nov-25 18:54:43 UTC

ACAT for Microsoft 365 Certification

Azure BuiltIn Policy Initiative (PolicySet)

Source

Azure Portal

Display name

ACAT for Microsoft 365 Certification

80307b86-ab81-45ab-bf4f-4e0b93cf3dd5

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 2
1.0.0
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

App Compliance Automation Tool for Microsoft 365 (ACAT) simplifies the process to achieve Microsoft 365 Certification, see https://aka.ms/acat. This certification ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. This initiative includes policies that address a subset of the Microsoft 365 Certification controls. Additional policies will be added in upcoming releases.

Type

BuiltIn

Deprecated

False

Preview

False

Policy count

Total Policies: 16
Builtin Policies: 16
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
App Service Environment should have TLS 1.0 and 1.1 disabled	d6545c6b-dd9d-4265-91e6-0b451e2f1c50	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure SQL Database should be running TLS version 1.2 or newer	32e6bbec-16b6-44c2-be37-c5b672d103cf	SQL	Default Audit Allowed Audit, Disabled, Deny	0		GA
Azure Synapse Analytics dedicated SQL pools should enable encryption	cfaf0007-99c7-4b01-b36b-4048872ac978	Synapse	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Disk encryption should be enabled on Azure Data Explorer	f4b53539-8df9-40e4-86c6-6b607703bd4e	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA
Linux virtual machines should have Azure Monitor Agent installed	1afdc4b6-581a-45fb-b630-f1e6051e3e7a	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
SQL Managed Instance should have the minimal TLS version of 1.2	a8793640-60f7-487c-b5c3-1d37215905c4	SQL	Default Audit Allowed Audit, Disabled	0		GA
Storage accounts should have the specified minimum TLS version	fe83a0eb-a853-422d-aac2-1bffd182c5d0	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Vulnerability assessment should be enabled on your Synapse workspaces	0049a6b3-a662-4f3e-8635-39cf44ace45a	Synapse	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Web Application Firewall (WAF) should use the specified mode for Application Gateway	12430be1-6cc8-4527-a9a8-e3d38f250096	Network	Default Audit Allowed Audit, Deny, Disabled	0		GA
Windows machines should configure Windows Defender to update protection signatures within one day	d96163de-dbe0-45ac-b803-0e9ca0f5764e	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows machines should enable Windows Defender Real-time protection	b3248a42-b1c1-41a4-87bc-8bad3d845589	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows virtual machines should have Azure Monitor Agent installed	c02729e5-e5e7-4458-97fa-2b5ad0661f28	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

History

Date/Time (UTC ymd) (i)	Changes
2024-06-19 17:53:27	Version change: '1.0.0' to '1.1.0' remove Policy [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway (632d3993-e2c0-44ea-a7db-2eca131f356d) remove Policy [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection (711c24bb-7f18-4578-b192-81a6161e1f17) remove Policy [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows (610b6183-5f00-4d68-86d2-4ab4cb3a67a5) remove Policy [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection (f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf) remove Policy [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium (f516dc7a-4543-4d40-aad6-98f76a706b50) remove Policy [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) (6484db87-a62d-4327-9f07-80a2cbdf333a) remove Policy [Deprecated]: Windows machines should use the default NTP server (2454bbee-dc19-442f-83fc-7f3114cafd91) remove Policy [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day (3810e389-1d92-4f77-9267-33bdcf0bd225)
2023-01-19 18:07:18	add Initiative 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC