$ az policy definition list -o table
Description DisplayName Mode Name PolicyType
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------ ------- ------------------------------------ ------------
Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Audit virtual machines without disaster recovery configured All 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 BuiltIn
The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an Function app must be carefully reviewed. [Preview]: Audit Web Sockets state for a Function App All 001802d1-4969-4c82-a700-c29c6c6f9bbd BuiltIn
Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. [Preview]: Deploy Log Analytics Agent for Linux VMs Indexed 053d3325-282c-4e5c-b944-24faffd30d77 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Azure Data Lake Store Indexed 057ef27e-665e-4328-8ea3-04b3122bd9fb BuiltIn
Audit DB level audit setting for SQL databases Audit SQL DB Level Audit Setting All 06a78e20-9358-41c9-923c-fb736d382a12 BuiltIn
This policy audits VMs that do not use managed disks Audit VMs that do not use managed disks All 06a78e20-9358-41c9-923c-fb736d382a4d BuiltIn
Cross origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. [Preview]: Audit CORS resource access restrictions for a Function App All 0820b7b9-23aa-4725-a1ce-ae4558f718e5 BuiltIn
Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. [Preview]: Deploy Log Analytics Agent for Windows VMs Indexed 0868462e-646c-4fe3-9ced-a733534b6a2c BuiltIn
Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit Web Applications that are not using latest supported PHP Framework All 08b17839-76c6-4015-90e0-33d9d54d219c BuiltIn
It is recommended to designate more than one subscription owner in order to have administrator access redundancy. [Preview]: Audit minimum number of owners for subscription All 09024ccc-0c5f-475e-9457-b7c0d9ed487b BuiltIn
VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations [Preview]: Monitor unencrypted VM Disks in Azure Security Center All 0961003e-5a0a-4549-abde-af6a37f2724d BuiltIn
Audit that the resource location matches its resource group location Audit resource location matches resource group location Indexed 0a914e76-4921-4c19-b460-a2d36003525a BuiltIn
Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off. [Preview]: Audit remote debugging state for a Function App All 0e60b895-3786-45da-8377-9c6b4b6ac5f9 BuiltIn
Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted Indexed 11ac78e3-31bc-4f0c-8434-37ab963cea07 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to audit applications inside Windows VMs must be present. [Preview]: Deploy VM extension to audit application inside Windows VMs must be present Indexed 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. This security setting determines the period of time (in days) that a password must be used before the user can change it. [Preview]: Deploy VM extension to audit Windows VM minimum password age 1 day Indexed 16390df4-2f73-4b42-af13-c801066763df BuiltIn
Audit transparent data encryption status for SQL databases Audit transparent data encryption status Indexed 17k78e20-9358-41c9-923c-fb736d382a12 BuiltIn
Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. [Preview]: Deploy Dependency Agent for Windows VMs Indexed 1c210e94-a481-4beb-95fa-1571b434fb04 BuiltIn
Use new Azure Resource Manager v2 for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit use of classic virtual machines All 1d84d5fb-01f6-4d12-ba4f-4a26081d403d BuiltIn
Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit API Applications that are not using latest supported .NET Framework All 1de7b11d-1870-41a5-8181-507e7c663cfb BuiltIn
Enforces a required tag and its value. Does not apply to resource groups. Enforce tag and its value 1e30110a-5ceb-460c-a204-c1c3969c6d62 BuiltIn
Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Audit provisioning of an Azure Active Directory administrator for SQL server Indexed 1f314764-cb73-4fc9-b863-8eca98ac36e9 BuiltIn
Web applications without a Web Application Firewall protection will be monitored by Azure Security Center as recommendations [Preview]: Monitor unprotected web application in Azure Security Center All 201ea587-7c90-41c3-910f-c280ae01cfd6 BuiltIn
Use of custom domains protects a API app from common attacks such as phishing and other DNS-related attacks. [Preview]: Audit API Apps that are not using custom domains All 224da9fe-0d38-4e79-adb3-0a6e2af942ac BuiltIn
Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit enabling of only secure connections to your Redis Cache All 22bee202-a82f-4305-9a2a-6d7f44d4dedb BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. This security setting determines the least number of characters that a password for a user account may contain. [Preview]: Deploy VM extension to audit Windows VM passwords must be at least 14 characters Indexed 23020aa6-1135-4be2-bae2-149982b06eca BuiltIn
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. [Preview]: Audit Windows VM maximum password age 70 days Indexed 24dde96d-f0b1-425e-884f-4a1421e2dcdc BuiltIn
Audit configuration of metric alert rules on Batch account to enable the required metric Audit configuration of metric alert rules on Batch accounts Indexed 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 BuiltIn
This policy deploys a Microsoft IaaSAntimalware extension with a default configuraion when a VM is not configured with the antimalware extension. Deploy default Microsoft IaaSAntimalware extension for Windows Server Indexed 2835b622-407b-4114-9198-6f7064cbe0dc BuiltIn
Applies a required tag and its default value if it is not specified by the user. Does not apply to resource groups. Apply tag and its default value 2a0e14a6-b0a6-4fab-991a-187a4f81c498 BuiltIn
This security setting determines whether the operating system stores passwords using reversible encryption. [Preview]: Audit Windows VM should not store passwords using reversible encryption Indexed 2d60d3b7-aa10-454c-88a8-de39d99d17c6 BuiltIn
This security setting verifies remote connections from accounts with empty passwords is disabled. [Preview]: Audit Linux VM allowing remote connections from accounts with no passwords Indexed 2d67222d-05fd-4526-a171-2ee132ad9e83 BuiltIn
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. [Preview]: Audit HTTPS only access for a Web Application All 2fde8a98-6892-426a-83ba-050e640c0ce0 BuiltIn
Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Indexed 32133ab0-ee4b-4b44-98d6-042180979d50 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. For Linux servers this includes Chef Inspec, Ruby, and Python. This security setting verifies there are no accounts without passwords. [Preview]: Deploy VM extension to audit Linux VM accounts with no passwords Indexed 3470477a-b35a-49db-aca5-1073d04524fe BuiltIn
Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit unrestricted network access to storage accounts Indexed 34c877ad-507e-4c82-993e-3452a6e0ad3c BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Logic Apps Indexed 34f95f76-5386-4de7-b824-0d8478470c9d BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. [Preview]: Deploy VM extension to audit Windows VM maximum password age 70 days Indexed 356a906e-05e5-4625-8729-90771e0ee934 BuiltIn
Cross origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. [Preview]: Audit CORS resource access restrictions for an API App All 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac BuiltIn
It is important to enable encryption of Automation account variable assets when storing sensitive data Audit enablement of encryption of Automation account variables All 3657f5a0-770e-44a3-b44e-9431ba1e9735 BuiltIn
This policy ensures that Threat Detection is enabled on SQL Servers. Deploy Threat Detection on SQL servers Indexed 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 BuiltIn
Use new Azure Resource Manager v2 for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit use of classic storage accounts All 37e0d2fe-28a5-43d6-a273-67d37d1f5606 BuiltIn
Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS) Indexed 3be22e3b-d919-47aa-805e-8985dbeb0ad9 BuiltIn
Deploy Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS) Indexed 3c1b3629-c8f8-4bf6-862c-037cb9094038 BuiltIn
This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace Deploy default Log Analytics Agent for Ubuntu VMs Indexed 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 BuiltIn
Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit API Applications that are not using latest supported PHP Framework All 3fe37002-5d00-4b37-a301-da09e3a0ca66 BuiltIn
Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit secure transfer to storage accounts Indexed 404c3081-a854-4457-ae30-26a93ef643f9 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Batch accounts Indexed 428256e6-1fac-4f48-a757-df34c2b3336d BuiltIn
Network Security Groups with too permissive rules will be monitored by Azure Security Center as recommendations [Preview]: Monitor permissive network access in Azure Security Center All 44452482-524f-4bf4-b852-0bff7cc4a3ed BuiltIn
This policy ensures all SQL servers use version 12.0 Require SQL Server version 12.0 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf BuiltIn
Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit Web Applications that are not using latest supported Python Framework All 46544d7b-1f0d-46f5-81da-5c1351de1b06 BuiltIn
This policy enforces usage of automatic OS upgrade with application health checks through health probes, which enables safer rollout by evaluating application health after each OS upgrade batch. Enforce automatic OS upgrade with app health checks on VMSS All 465f0161-0087-490a-9ad9-ad6217f4f43a BuiltIn
Possible Application Whitelist configuration will be monitored by Azure Security Center [Preview]: Monitor possible app Whitelisting in Azure Security Center All 47a6b606-51aa-4496-8bb7-64b11cf66adc BuiltIn
IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects an API app from common attacks. [Preview]: Audit IP restrictions configuration for an API App All 48893b84-a2c8-4d9a-badf-835d5d1b7d53 BuiltIn
Applies a required tag and its default value to resource groups if it is not specified by the user. Apply tag and its default value to resource groups All 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 BuiltIn
Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. [Preview]: Deploy Dependency Agent for Linux VMs Indexed 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee BuiltIn
It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. [Preview]: Audit maximum number of owners for a subscription All 4f11b553-d42e-4e3a-89be-32ca364cad4c BuiltIn
Cross origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. [Preview]: Audit CORS resource access restrictions for a Web Application All 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 BuiltIn
This security setting determines the period of time (in days) that a password must be used before the user can change it. [Preview]: Audit Windows VM minimum password age 1 day Indexed 5aa11bbc-5c76-4302-80e5-aba46a4282e7 BuiltIn
This security setting determines the least number of characters that a password for a user account may contain. [Preview]: Audit Windows VM passwords must be at least 14 characters Indexed 5aebc8d1-020d-4037-89a0-02043a7524ec BuiltIn
Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted Indexed 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 BuiltIn
External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. [Preview]: Audit external accounts with write permissions on a subscription All 5c607a2e-c700-4744-8254-d77e7c9eb5e4 BuiltIn
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. [Preview]: Audit HTTPS only access for a Function App All 5df82f4f-773a-4a2d-97a2-422a806f1a55 BuiltIn
Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit Web Applications that are not using latest supported .NET Framework All 5e3315e0-a414-4efb-a4d2-c7bd2b0443d2 BuiltIn
This policy will audit instances of applications running inside Windows virtual machines, to verify that the application exists. [Preview]: Audit application inside Windows VMs must be present Indexed 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 BuiltIn
Allows resource creation in the following locations only: West India, South India, Central India Allow resource creation only in India data centers 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 BuiltIn
Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS) Indexed 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 BuiltIn
External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. [Preview]: Audit external accounts with read permissions on a subscription All 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 BuiltIn
This policy will audit instances of Internet Information Services (IIS) running inside Windows virtual machines, to verify that TLS minimum version 1.1 is used for encryption. [Preview]: Audit web servers inside Windows VMs must use TLS minimum version 1.1 encryption Indexed 60ffe3e2-4604-4460-8f22-0f1da058266c BuiltIn
Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit the setting of ClusterProtectionLevel property to EncryptAndSign in Service Fabric Indexed 617c02be-7f02-4efd-8836-3180d47b6c68 BuiltIn
This policy audits storage accounts without blob encryption. It only applies to Microsoft.Storage resource types, not other storage providers. Possible network Just In Time access will be monitored by Azure Security Center as recommendations. [Preview]: Audit missing blob encryption for storage accounts All 655cb504-bcee-4362-bd4c-402e6aa38759 BuiltIn
IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common attacks. [Preview]: Audit IP restrictions configuration for a Function App All 664346d9-be92-43fb-a219-d595eeb76a90 BuiltIn
IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common attacks. [Preview]: Audit IP restrictions configuration for a Web Application All 6a8450e2-6c61-43b4-be65-62e3a197bffe BuiltIn
Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. [Preview]: Audit deprecated accounts on a subscription All 6b1cbf55-e8b6-442f-ba4c-7246b6381474 BuiltIn
This policy enables you to specify the resource types that your organization cannot deploy. Not allowed resource types 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 BuiltIn
Allows resource creation in the following locations only: Japan East, Japan West Allow resource creation only in Japan data centers 6fdb9205-3462-4cfc-87d8-16c7860b53f4 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. [Preview]: Deploy VM extension to audit Windows VM should not allow previous 24 passwords Indexed 726671ac-c4de-4908-8c7d-6043ae62e3b6 BuiltIn
This policy enables you to specify a set of storage account SKUs that your organization can deploy. Allowed storage account SKUs 7433c107-6db4-4ad1-b57a-a76dce0154a1 BuiltIn
Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Audit enabling of diagnostic logs in App Services All 752c6934-9bcc-4749-b004-655e676ae2ac BuiltIn
Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. [Preview]: Monitor VM Vulnerabilities in Azure Security Center All 760a85ff-6162-42b3-8d70-698e268f648c BuiltIn
Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS) Indexed 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 BuiltIn
It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Audit enabling of diagnostics logs in Service Fabric and Virtual Machine Scale Sets Indexed 7c1b1214-f927-48bf-8882-84f0af6588b1 BuiltIn
This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. Require blob encryption for storage accounts 7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. If this policy is enabled, passwords must meet minimum requirements. See documentation for full details at URL http://aka.ms/gcpol. [Preview]: Deploy VM extension to audit Windows VM enforces password complexity requirements Indexed 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 BuiltIn
Audit diagnostic setting for selected resource types Audit diagnostic setting All 7f89b1eb-583c-429a-8828-af049802c1d9 BuiltIn
Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Event Hub Indexed 83a214f7-d01a-484b-91a9-ed54470c9a6a BuiltIn
Enables transparent data encryption on SQL databases Deploy SQL DB transparent data encryption Indexed 86a912f6-9a06-4e26-b447-11b16ba8659f BuiltIn
Missing security system updates on your servers will be monitored by Azure Security Center as recommendations [Preview]: Monitor missing system updates in Azure Security Center All 86b3d65f-7626-441e-b690-81a8b71cff60 BuiltIn
Enforces a required tag and its value on resource groups. Enforce tag and its value on resource groups All 8ce3da23-7156-49e4-b145-24f95f9dcb46 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. This security setting determines whether the operating system stores passwords using reversible encryption. [Preview]: Deploy VM extension to audit Windows VM should not store passwords using reversible encryption Indexed 8ff0b18b-262e-4512-857a-48ad0aeb9a78 BuiltIn
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. [Preview]: Audit accounts with write permissions who are not MFA enabled on a subscription All 9297c21d-2ed6-4474-b48f-163f75654ce3 BuiltIn
Allows resource creation in the following locations only: North Europe, West Europe Allow resource creation only in European data centers 94c19f19-8192-48cd-a11b-e37099d3e36b BuiltIn
Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Allow resource creation only in United States data centers 983211ba-f348-4758-983b-21fa29294869 BuiltIn
Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit API Applications that are not using latest supported Java Framework All 9bfe3727-0a17-471f-a2fe-eddd6b668745 BuiltIn
Network endpoints without a Next Generation Firewall's protection will be monitored by Azure Security Center as recommendations [Preview]: Monitor unprotected network endpoints in Azure Security Center All 9daedab3-fb2d-461e-b861-71790eead4f6 BuiltIn
This policy enables you to specify the resource types that your organization can deploy. Allowed resource types a08ec900-254a-4555-9bf5-e42af04b5c5c BuiltIn
Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity Audit authorization rules on Service Bus namespaces All a1817ec0-a368-432a-8057-8371e17ac6ee BuiltIn
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit usage of custom RBAC rules All a451c1ef-c6ca-483d-87ed-f49761e3ffb5 BuiltIn
Audits the existence of SQL Auditing at the server level Audit SQL server level Auditing settings Indexed a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 BuiltIn
DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. [Preview]: Audit standard tier of DDoS protection is enabled for a virtual network All a7aca53f-2ed4-4466-a25e-0b45ade68efd BuiltIn
This policy ensures encryption is enabled on all Data Lake Store accounts Enforce encryption on Data Lake Store accounts Indexed a7ff3161-0087-490a-9ad9-ad6217f4f43a BuiltIn
Unencrypted SQL servers or databases will be monitored by Azure Security Center as recommendations [Preview]: Monitor unencrypted SQL database in Azure Security Center All a8bef009-a5c9-4d0f-90d7-6018734e8a16 BuiltIn
This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. Deploy network watcher when virtual networks are created Indexed a9b99dd8-06c5-4317-8629-9d86a3c6e7d9 BuiltIn
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. [Preview]: Audit accounts with owner permissions who are not MFA enabled on a subscription All aa633080-8b72-40c4-a2d7-d00c03e80bed BuiltIn
Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. [Preview]: Automatic provisioning of security monitoring agent All abcc6037-1fc4-47f6-aac5-89706589be24 BuiltIn
Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging Allow resource creation if 'environment' tag value in allowed values ac7e5fc0-c029-4b12-91d4-a8500ce697f9 BuiltIn
Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations [Preview]: Monitor missing Endpoint Protection in Azure Security Center All af6cd1bd-1635-48cb-bde7-5b15693900b9 BuiltIn
SQL servers and databases which doesn't have SQL auditing turned on will be monitored by Azure Security Center as recommendations [Preview]: Monitor unaudited SQL database in Azure Security Center All af8051bf-258b-44e2-a2bf-165330459f9d BuiltIn
Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations [Preview]: Monitor possible network Just In Time (JIT) access in Azure Security Center All b0f33259-77d7-4c9e-aac6-3aabcfae693c BuiltIn
This security setting verifies /etc/passwd file permissions are set to 0644 to prevent unauthorized changes that could allow access to the server. [Preview]: Audit Linux VM /etc/passwd file permissions are set to 0644 Indexed b18175dd-c599-4c64-83ba-bb018a06d35b BuiltIn
Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity Audit authorization rules on Event Hub namespaces All b278e460-7cfc-4451-8294-cccc40a940d7 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to audit instances of Internet Information Services (IIS) running inside Windows virtual machines, to verify that TLS minimum version 1.1 is used for encryption. [Preview]: Deploy VM extension to audit web servers inside Windows VMs must use TLS minimum version 1.1 encryption Indexed b2fc8f91-866d-4434-9089-5ebfe38d6fd8 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs for Search service Indexed b4330a05-a843-4bc8-bf9a-cacce50c67f4 BuiltIn
The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an API app must be carefully reviewed. [Preview]: Audit Web Sockets state for an API App All b48334a4-911b-4084-b1ab-3e6a4e50b951 BuiltIn
Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit usage of Azure Active Directory for client authentication in Service Fabric Indexed b54ed75b-3e1a-44ac-a333-05ba39b99ff0 BuiltIn
Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit API Applications that are not using latest supported Python Framework All bc0378bb-d7ab-4614-a0f6-5a6e3f02d644 BuiltIn
Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit Web Applications that are not using latest supported Java Framework All be0a7681-bed4-48dc-9ff3-f0171ee170b6 BuiltIn
Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Allow resource creation only in Asia data centers c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 BuiltIn
This security setting verifies there are no accounts without passwords. [Preview]: Audit Linux VM accounts with no passwords Indexed c40c9087-1981-4e73-9f53-39743eda9d05 BuiltIn
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. [Preview]: Audit HTTPS only access for an API App All c85538c1-b527-4ce4-bdb4-1dabcb3fd90d BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Data Lake Analytics Indexed c95c74d9-38fe-4f0d-af86-0c7d626a315c BuiltIn
This policy automatically deploys diagnostic settings to network security groups. Apply Diagnostic Settings for Network Security Groups Indexed c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 BuiltIn
Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. [Preview]: Audit remote debugging state for a Web Application All cb510bfd-1cba-4d9f-a230-cb0976f4bb71 BuiltIn
This policy enables you to specify a set of virtual machine SKUs that your organization can deploy. Allowed virtual machine SKUs cccc23c7-8427-4f53-ad12-b6a63eb452b3 BuiltIn
Allows resource creation only if the 'department' tag is set Allow resource creation if 'department' tag set cd8dc879-a2ae-43c3-8211-1877c5755064 BuiltIn
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. [Preview]: Audit Windows VM should not allow previous 24 passwords Indexed cdbf72d9-ac9c-4026-8a3a-491a5ac59293 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Key Vault Indexed cf820ca0-f99e-4f3e-84fb-66e913812d21 BuiltIn
Use of custom domains protects a Function app from common attacks such as phishing and other DNS-related attacks. [Preview]: Audit Function Apps that are not using custom domains All d1cb47db-b7a1-4c46-814e-aad1c0e84f3c BuiltIn
Use of custom domains protects a web application from common attacks such as phishing and other DNS-related attacks. [Preview]: Audit Web Applications that are not using custom domains All dd2ea520-6b06-45c3-806e-ea297c23e06a BuiltIn
Allows resource creation in the following locations only: Japan East, Japan West Allow resource creation only in Japan data centers e01598e8-6538-41ed-95e8-8b29746cd697 BuiltIn
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations [Preview]: Monitor OS vulnerabilities in Azure Security Center All e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 BuiltIn
Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted Indexed e2dd799a-a932-4e9d-ac17-d473bc3c6c10 BuiltIn
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. [Preview]: Audit accounts with read permissions who are not MFA enabled on a subscription All e3576e28-8b17-4677-84c3-db2990658d64 BuiltIn
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. Allowed locations e56962a6-4747-49cd-b67b-bf8b01975c4c BuiltIn
Use the latest supported Node.js version for the latest security classes. Using older classes and types can make your application vulnerable. [Preview]: Audit Web Applications that are not using latest supported Node.js Framework All e67687e8-08d5-4e7f-8226-5b4753bba008 BuiltIn
This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. Allowed locations for resource groups All e765b5de-1225-4ba3-bd56-1ac6695af988 BuiltIn
The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within a web application must be carefully reviewed. [Preview]: Audit Web Sockets state for a Web Application All e797f851-8be7-4c40-bb56-2e3395215b0e BuiltIn
Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off. [Preview]: Audit remote debugging state for an API App All e9c8d085-d9cc-4b17-9cdc-059f1f01f19e BuiltIn
Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. [Preview]: Audit deprecated accounts with owner permissions on a subscription All ebb62a0c-3560-49e1-89ed-27e074e9f8ad BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration and Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. For Linux servers this includes Chef Inspec, Ruby, and Python. This security setting verifies remote connections from accounts with empty passwords is disabled. [Preview]: Deploy VM extension to audit Linux VM allowing remote connections from accounts with no passwords Indexed ec49586f-4939-402d-a29e-6ff502b20592 BuiltIn
Include this rule to deploy the VM extensions for Microsoft Guest Configuration, Microsoft Azure Managed Service Identity, and required content to check settings inside the virtual machine. For Linux servers this includes Chef Inspec, Ruby, and Python. This security setting verifies /etc/passwd file permissions are set to 0644 to prevent unauthorized changes that could allow access to the server. [Preview]: Deploy VM extension to audit Linux VM passwd file permissions Indexed f19aa1c1-6b91-4c27-ae6a-970279f03db9 BuiltIn
Reports VMs as non-compliant if they not logging to the LA workspace specified in the policy/initiative assignment. [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch Indexed f47b5582-33ec-4c5c-87c0-b010a6b2e917 BuiltIn
Audit existence of authorization rules on Event Hub entities to grant least-privileged access Audit existence of authorization rules on Event Hub entities All f4826e5f-6a27-407c-ae3e-9582eb39891d BuiltIn
If this policy is enabled, passwords must meet minimum requirements. See documentation for full details at URL http://aka.ms/gcpol. [Preview]: Audit Windows VM enforces password complexity requirements Indexed f48b2913-1dc5-4834-8c72-ccc1dfd819bb BuiltIn
This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records. Deploy Auditing on SQL servers Indexed f4c68484-132f-41f9-9b6d-3e4b1cb55036 BuiltIn
External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. [Preview]: Audit external accounts with owner permissions on a subscription All f8456c1c-aa66-4dfb-861a-25d127b775c9 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Service Bus Indexed f8d36e2f-389b-4ee4-898d-21aeb69a0f45 BuiltIn
Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Audit enabling of diagnostic logs in Azure Stream Analytics Indexed f9be5368-9bf5-4b84-9e0a-7850da98bb46 BuiltIn
Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. [Preview]: Monitor SQL vulnerability assessment results in Azure Security Center Indexed feedbf84-6b99-488c-acc2-71c829aa5ffc BuiltIn
This restricts users to use CSE standard Virtual Network Gateway SKU. CSEStdPolicyVNETGateway CSEStdPolicyVNETGateway Custom
This restricts users from creating virtual network peering outside the network zones CSEStdPolicyVNETPeering_PvtApp CSEStdPolicyVNETPeering_PvtApp Custom
This restricts users from adding any resources other than Microsoft.Network resources inside the ERNETWORK RG SDOStdPolicyERNetworkRGV1 SDOStdPolicyERNetworkRGV1 Custom
Per ISRM security policy we do not allow public ip addresses and user defined routes. SDOStdPolicyNetwork SDOStdPolicyNetwork Custom
Please see RequestDisallowedByPolicy error with Azure resource policy more detail