Policy DisplayName |
Policy Id |
Category |
Effect |
Roles# |
Roles |
State |
[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
0961003e-5a0a-4549-abde-af6a37f2724d |
Security Center |
Default Disabled Allowed AuditIfNotExists, Disabled |
0 |
|
Deprecated |
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images |
32133ab0-ee4b-4b44-98d6-042180979d50 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
Preview |
A maximum of 3 owners should be designated for your subscription |
4f11b553-d42e-4e3a-89be-32ca364cad4c |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
A vulnerability assessment solution should be enabled on your virtual machines |
501541f7-f7e7-4cd6-868c-4190fdad3ac9 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with owner permissions on Azure resources should be MFA enabled |
e3e008c3-56b9-4133-8fd7-d3347377402a |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with read permissions on Azure resources should be MFA enabled |
81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Accounts with write permissions on Azure resources should be MFA enabled |
931e118d-50a1-4457-a5e4-78550e086c52 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
3cf2ab00-13f1-4d0c-8971-2ac904541a7e |
Guest Configuration |
Fixed modify |
1 |
Contributor |
GA |
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
497dff13-db2a-4c0f-8603-28fa3b331ab6 |
Guest Configuration |
Fixed modify |
1 |
Contributor |
GA |
All network ports should be restricted on network security groups associated to your virtual machine |
9daedab3-fb2d-461e-b861-71790eead4f6 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
An Azure Active Directory administrator should be provisioned for SQL servers |
1f314764-cb73-4fc9-b863-8eca98ac36e9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should have remote debugging turned off |
cb510bfd-1cba-4d9f-a230-cb0976f4bb71 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should not have CORS configured to allow every resource to access your apps |
5744710e-cc2f-4ee8-8809-3b11e89f4bc9 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should only be accessible over HTTPS |
a4af4a39-4135-47fb-b175-47fbdf85311d |
App Service |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
App Service apps should use latest 'HTTP Version' |
8c122334-9d20-4eb8-89ea-ac9a705b74ae |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
App Service apps should use the latest TLS version |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit diagnostic setting for selected resource types |
7f89b1eb-583c-429a-8828-af049802c1d9 |
Monitoring |
Fixed AuditIfNotExists |
0 |
|
GA |
Audit Linux machines that allow remote connections from accounts without passwords |
ea53dbee-c6c9-4f0e-9f9e-de0039b78023 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Linux machines that do not have the passwd file permissions set to 0644 |
e6955644-301c-44b5-a4c4-528577de6861 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Linux machines that have accounts without passwords |
f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit usage of custom RBAC roles |
a451c1ef-c6ca-483d-87ed-f49761e3ffb5 |
General |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Audit virtual machines without disaster recovery configured |
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 |
Compute |
Fixed auditIfNotExists |
0 |
|
GA |
Audit Windows machines missing any of specified members in the Administrators group |
30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 |
Guest Configuration |
Fixed auditIfNotExists |
0 |
|
GA |
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords |
5b054a0d-39e2-4d53-bea3-9734cad2c69b |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that do not have the maximum password age set to specified number of days |
4ceb8dc2-559c-478b-a15b-733fbf1e3738 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that do not have the minimum password age set to specified number of days |
237b38db-ca4d-4259-9e47-7882441ca2c0 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that do not have the password complexity setting enabled |
bf16e0bb-31e1-4646-8202-60a235cc7e74 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that do not restrict the minimum password length to specified number of characters |
a2d0e922-65d0-40c4-8f87-ea6da2d307a2 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that do not store passwords using reversible encryption |
da0f98fe-a24b-4ad5-af69-bd0400233661 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Audit Windows machines that have the specified members in the Administrators group |
69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f |
Guest Configuration |
Fixed auditIfNotExists |
0 |
|
GA |
Auditing on SQL server should be enabled |
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure DDoS Protection should be enabled |
a7aca53f-2ed4-4466-a25e-0b45ade68efd |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Blocked accounts with owner permissions on Azure resources should be removed |
0cfea604-3201-4e14-88fc-fae4c427a6c5 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Blocked accounts with read and write permissions on Azure resources should be removed |
8d7e1fde-fe26-4b5f-8108-f8e432cbc2be |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
331e8ea8-378a-410f-a2e5-ae22f38bb0da |
Guest Configuration |
Fixed deployIfNotExists |
1 |
Contributor |
GA |
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
385f5831-96d4-41db-9a3c-cd3af78aaae6 |
Guest Configuration |
Fixed deployIfNotExists |
1 |
Contributor |
GA |
Email notification to subscription owner for high severity alerts should be enabled |
0b15565f-aa9e-48ba-8619-45960f2c314d |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should have remote debugging turned off |
0e60b895-3786-45da-8377-9c6b4b6ac5f9 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should only be accessible over HTTPS |
6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab |
App Service |
Default Audit Allowed Audit, Disabled, Deny |
0 |
|
GA |
Function apps should use latest 'HTTP Version' |
e2c1c086-2d84-4019-bff3-c44ccd95113c |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Function apps should use the latest TLS version |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for MariaDB |
0ec47710-77ff-4a3d-9181-6aa50af424d0 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for MySQL |
82339799-d096-41ae-8538-b108becf0970 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
48af4db5-9b8b-401c-8e74-076be876a430 |
SQL |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Geo-redundant storage should be enabled for Storage Accounts |
bf045164-79ba-4215-8f95-f8048dc1780b |
Storage |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Guest accounts with owner permissions on Azure resources should be removed |
339353f6-2387-4a45-abe4-7f529d121046 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Guest accounts with read permissions on Azure resources should be removed |
e9ac8f8e-ce22-4355-8f04-99b911d6be52 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Guest accounts with write permissions on Azure resources should be removed |
94e1c2ac-cbbe-4cac-a2b5-389c812dee87 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version |
fb893a29-21bb-418c-a157-e99480ec364c |
Security Center |
Default Audit Allowed Audit, Disabled |
0 |
|
GA |
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images |
5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Long-term geo-redundant backup should be enabled for Azure SQL Databases |
d38fc420-0735-4ef3-ac11-c806f651a570 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Management ports of virtual machines should be protected with just-in-time network access control |
b0f33259-77d7-4c9e-aac6-3aabcfae693c |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Microsoft IaaSAntimalware extension should be deployed on Windows servers |
9b597639-28e4-48eb-b506-56b05d366257 |
Compute |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Network Watcher should be enabled |
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 |
Network |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Only secure connections to your Azure Cache for Redis should be enabled |
22bee202-a82f-4305-9a2a-6d7f44d4dedb |
Cache |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Secure transfer to storage accounts should be enabled |
404c3081-a854-4457-ae30-26a93ef643f9 |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Service Fabric clusters should only use Azure Active Directory for client authentication |
b54ed75b-3e1a-44ac-a333-05ba39b99ff0 |
Service Fabric |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
SQL databases should have vulnerability findings resolved |
feedbf84-6b99-488c-acc2-71c829aa5ffc |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Storage accounts should restrict network access |
34c877ad-507e-4c82-993e-3452a6e0ad3c |
Storage |
Default Audit Allowed Audit, Deny, Disabled |
0 |
|
GA |
Subscriptions should have a contact email address for security issues |
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
The Log Analytics extension should be installed on Virtual Machine Scale Sets |
efbde977-ba53-4479-b8e9-10b957924fbf |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
There should be more than one owner assigned to your subscription |
09024ccc-0c5f-475e-9457-b7c0d9ed487b |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Transparent Data Encryption on SQL databases should be enabled |
17k78e20-9358-41c9-923c-fb736d382a12 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Virtual machines should be connected to a specified workspace |
f47b5582-33ec-4c5c-87c0-b010a6b2e917 |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Virtual machines should have the Log Analytics extension installed |
a70ca396-0a34-413a-88e1-b956c1e683be |
Monitoring |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerabilities in security configuration on your machines should be remediated |
e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 |
Security Center |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerability assessment should be enabled on SQL Managed Instance |
1b7aa243-30e4-4c9e-bca8-d0d3022b634a |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Vulnerability assessment should be enabled on your SQL servers |
ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 |
SQL |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |
Windows machines should be configured to use secure communication protocols |
5752e6d6-1206-46d8-8ab1-ecc2f71a8112 |
Guest Configuration |
Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
0 |
|
GA |