Skip to content

All Policies

Service Policy Definition Parameter Requirements Audit Only Azure Security Benchmark CIS CCMC L3 ISO 27001 NIST SP 800-53 R4 NIST SP 800-171 R2 HIPAA HITRUST 9.2 New Zealand ISM Parameters Link ID
API Management API Management service should use a SKU that supports virtual networks Optional No nan nan nan nan nan nan nan nan listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_AllowedVNETSkus_AuditDeny.json 73ef9241-5d81-4cd4-b483-8443d1730fe5
API for FHIR Azure API for FHIR should use a customer-managed key to encrypt data at rest None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json 051cba44-2429-45b9-9649-46cec11c7119
API for FHIR Azure API for FHIR should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json 1ee56206-5dd1-42ab-b02d-8aae8b1634ce
API for FHIR CORS should not allow every domain to access your API for FHIR None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json 0fea8f8a-4169-495d-8307-30ec335f387d
App Configuration App Configuration should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_PublicNetworkAccess_Audit.json 3d9f5e4c-9947-4579-9539-2a7695fbc187
App Configuration App Configuration should use a SKU that supports private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_AllowedSku_Audit.json 89c8a434-18f0-402c-8147-630a8dea54e0
App Configuration App Configuration should use a customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Configuration/CustomerManagedKey_Audit.json 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1
App Configuration App Configuration should use private link None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json ca610c1d-041c-4332-9d88-7ed3094967c7
App Configuration App Configuration stores should have local authentication methods disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Configuration/DisableLocalAuth_Audit.json b08ab3ca-1062-4db3-8803-eec9cae605d6
App Platform Audit Azure Spring Cloud instances where distributed tracing is not enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Platform/Spring_DistributedTracing_Audit.json 0f2d8593-4667-4932-acca-6a9f187af109
App Service API App should only be accessible over HTTPS None Yes DP-4 nan nan A.10.1.1 SC-8 (1) 3.13.8 0949.09y2Organizational.5 - 09.y SS-8 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json b7ddfbdc-1260-477d-91fd-98bd9be789a6
App Service API apps should use an Azure file share for its content directory None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_StorageAccountRequired_Audit.json 324c7761-08db-4474-9661-d1039abc92ee
App Service App Service Apps should be injected into a virtual network None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_App_VNetIntegrationEnabled_Audit.json 72d04c29-f87d-4575-9731-419ff16a2757
App Service App Service Environment apps should not be reachable over public internet None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_InternalLoadBalancingMode_Audit.json 2d048aca-6479-4923-88f5-e2ac295d9af3
App Service App Service Environment should be configured with strongest TLS Cipher suites None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_StrongestTLSCipher_Audit.json 817dcf37-e83d-4999-a472-644eada2ea1e
App Service App Service Environment should be provisioned with latest versions None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_LatestVersions_Audit.json eb4d34ab-0929-491c-bbf3-61e13da19f9a
App Service App Service Environment should disable TLS 1.0 and 1.1 None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_DisableTls_Audit.json d6545c6b-dd9d-4265-91e6-0b451e2f1c50
App Service App Service Environment should enable internal encryption None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_InternalEncryption_Audit.json fb74e86f-d351-4b8d-b034-93da7391c01f
App Service App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_VnetRouteAllEnabled_Audit.json 33228571-70a4-4fa1-8ca1-26d0aba8d6ef
App Service App Service apps should use a SKU that supports private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisablePrivateEndpoint_Deny.json.json 546fe8d2-368d-4029-a418-6af48a7f61e5
App Service App Service should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_PrivateEndpoint_AINE.json 687aa49d-0982-40f8-bf6b-66d1da97a04b
App Service App Services should disable public network access None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_PublicNetworkAccess_AINE.json 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7
App Service Authentication should be enabled on your API app None Yes nan 9.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json c4ebc54a-46e1-481a-bee2-d4411e95d828
App Service Authentication should be enabled on your Function app None Yes nan 9.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8
App Service Authentication should be enabled on your web app None Yes nan 9.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json 95bccee9-a7f8-4bec-9ee9-62c3473701fc
App Service CORS should not allow every resource to access your API App None Yes PV-2 nan nan nan nan nan 0911.09s1Organizational.2 - 09.s nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac
App Service CORS should not allow every resource to access your Function Apps None Yes PV-2 nan nan nan nan nan 0960.09sCSPOrganizational.1 - 09.s nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json 0820b7b9-23aa-4725-a1ce-ae4558f718e5
App Service CORS should not allow every resource to access your Web Applications None Yes PV-2 nan nan nan AC-4 3.1.3 0916.09s2Organizational.4 - 09.s SS-8 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json 5744710e-cc2f-4ee8-8809-3b11e89f4bc9
App Service Diagnostic logs in App Services should be enabled None Yes LT-4 5.3 nan nan nan nan 1209.09aa3System.2 - 09.aa nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0
App Service Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' None Yes PV-2 9.4 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json 0c192fe8-9cbb-4516-85b3-0ade8bd03886
App Service Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' None Yes PV-2 9.4 nan nan nan nan 0915.09s2Organizational.2 - 09.s nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json 5bb220d9-2698-4ee4-8404-b9c30c9df609
App Service Ensure that 'HTTP Version' is the latest, if used to run the API app None Yes nan 9.9 nan nan nan 3.14.1 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json 991310cd-e9f3-47bc-b7b6-f57b557d07db
App Service Ensure that 'HTTP Version' is the latest, if used to run the Function app None Yes nan 9.9 nan nan nan 3.14.1 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json e2c1c086-2d84-4019-bff3-c44ccd95113c
App Service Ensure that 'HTTP Version' is the latest, if used to run the Web app None Yes nan 9.9 nan nan nan 3.14.1 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json 8c122334-9d20-4eb8-89ea-ac9a705b74ae
App Service Ensure that 'Java version' is the latest, if used as a part of the API app Optional Yes PV-7 9.8 nan nan nan 3.14.1 nan nan JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json 88999f4c-376a-45c8-bcb3-4058f713cf39
App Service Ensure that 'Java version' is the latest, if used as a part of the Function app Optional Yes PV-7 9.8 nan nan nan 3.14.1 nan nan JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
App Service Ensure that 'Java version' is the latest, if used as a part of the Web app Optional Yes PV-7 9.8 nan nan nan 3.14.1 nan nan JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json 496223c3-ad65-4ecd-878a-bae78737e9ed
App Service Ensure that 'PHP version' is the latest, if used as a part of the API app Optional Yes PV-7 9.6 nan nan nan 3.14.1 nan nan PHPLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
App Service Ensure that 'PHP version' is the latest, if used as a part of the WEB app Optional Yes PV-7 9.6 nan nan nan 3.14.1 nan nan PHPLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json 7261b898-8a84-4db8-9e04-18527132abb3
App Service Ensure that 'Python version' is the latest, if used as a part of the API app Optional Yes PV-7 9.7 nan nan nan 3.14.1 nan nan WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json 74c3584d-afae-46f7-a20a-6f8adba71a16
App Service Ensure that 'Python version' is the latest, if used as a part of the Function app Optional Yes PV-7 9.7 nan nan nan 3.14.1 nan nan WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json 7238174a-fd10-4ef0-817e-fc820a951d73
App Service Ensure that 'Python version' is the latest, if used as a part of the Web app Optional Yes PV-7 9.7 nan nan nan 3.14.1 nan nan WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json 7008174a-fd10-4ef0-817e-fc820a951d73
App Service FTPS only should be required in your API App None Yes DP-4 9.10 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json 9a1b8c48-453a-4044-86c3-d8bfd823e4f5
App Service FTPS only should be required in your Function App None Yes DP-4 9.10 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json 399b2637-a50f-4f95-96f8-3a145476eb15
App Service FTPS should be required in your Web App None Yes DP-4 9.10 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b
App Service Function App should only be accessible over HTTPS None Yes DP-4 nan nan A.10.1.1 SC-8 (1) 3.13.8 0949.09y2Organizational.5 - 09.y SS-8 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab
App Service Function apps should have 'Client Certificates (Incoming client certificates)' enabled None Yes PV-2 9.4 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json eaebaea7-8013-4ceb-9d14-7eb32271373c
App Service Function apps should use an Azure file share for its content directory None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_StorageAccountRequired_Audit.json 4d0bc837-6eff-477e-9ecd-33bf8d4212a5
App Service Latest TLS version should be used in your API App None Yes DP-4 9.3 nan nan nan 3.14.1 0949.09y2Organizational.5 - 09.y CR-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
App Service Latest TLS version should be used in your Function App None Yes DP-4 9.3 nan nan nan 3.14.1 0949.09y2Organizational.5 - 09.y CR-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json f9d614c5-c173-4d56-95a7-b4437057d193
App Service Latest TLS version should be used in your Web App None Yes DP-4 9.3 nan nan nan 3.14.1 0949.09y2Organizational.5 - 09.y CR-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
App Service Managed identity should be used in your API App None Yes IM-2 9.5 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json c4d441f8-f9d9-4a9e-9cef-e82117cb3eef
App Service Managed identity should be used in your Function App None Yes IM-2 9.5 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json 0da106f2-4ca3-48e8-bc85-c638fe6aea8f
App Service Managed identity should be used in your Web App None Yes IM-2 9.5 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json 2b9ad585-36bc-4615-b300-fd4435808332
App Service Remote debugging should be turned off for API Apps None Yes PV-2 nan nan nan AC-17 (1) 3.1.12 0914.09s1Organizational.6 - 09.s AC-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json e9c8d085-d9cc-4b17-9cdc-059f1f01f19e
App Service Remote debugging should be turned off for Function Apps None Yes PV-2 nan nan nan AC-17 (1) 3.1.12 1325.09s1Organizational.3 - 09.s AC-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json 0e60b895-3786-45da-8377-9c6b4b6ac5f9
App Service Remote debugging should be turned off for Web Applications None Yes PV-2 nan nan nan AC-17 (1) 3.1.12 0912.09s1Organizational.4 - 09.s AC-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json cb510bfd-1cba-4d9f-a230-cb0976f4bb71
App Service Resource logs in App Services should be enabled Optional Yes nan nan nan nan nan nan nan nan requiredRetentionDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json 91a78b24-f231-4a8a-8da9-02c35b2b6510
App Service Web Application should only be accessible over HTTPS None Yes DP-4 9.2 nan A.10.1.1 SC-8 (1) 3.13.8 0949.09y2Organizational.5 - 09.y SS-8 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json a4af4a39-4135-47fb-b175-47fbdf85311d
App Service Web apps should use an Azure file share for its content directory None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_StorageAccountRequired_Audit.json dcbc65aa-59f3-4239-8978-3bb869d82604
Attestation Azure Attestation providers should use private endpoints None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Attestation/Attestation_PrivateLink_AuditIfNotExists.json 7b256a2d-058b-41f8-bed9-3f870541c40a
Automation Automation account variables should be encrypted None No DP-5 nan nan A.10.1.1 nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json 3657f5a0-770e-44a3-b44e-9431ba1e9735
Automation Automation accounts should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_PublicNetworkAccess_Audit.json 955a914f-bf86-4f0e-acd5-e0766b0efcb6
Automation Azure Automation accounts should use customer-managed keys to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json 56a5ee18-2ae6-4810-86f7-18e39ce5629b
Automation Private endpoint connections on Automation Accounts should be enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_PrivateEndpoint_AuditIfNotExist.json 0c2b3618-68a8-4034-a150-ff4abc873462
Azure Active Directory Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Azure%20Active%20Directory/AADDomainServices_TLS_Audit.json 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7
Azure Data Explorer Azure Data Explorer encryption at rest should use a customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json 81e74cea-30fd-40d5-802f-d72103c2aaaa
Azure Data Explorer Disk encryption should be enabled on Azure Data Explorer None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json f4b53539-8df9-40e4-86c6-6b607703bd4e
Azure Data Explorer Double encryption should be enabled on Azure Data Explorer None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json ec068d99-e9c7-401f-8cef-5bdde4e6ccf1
Azure Data Explorer Virtual network injection should be enabled for Azure Data Explorer None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_VNET_configured.json 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413
Azure Stack Edge Azure Stack Edge devices should use double-encryption None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Azure%20Stack%20Edge/AzureStackEdge_DoubleEncryption_Audit.json b4ac1030-89c5-4697-8e00-28b5ba6a8811
Backup Azure Backup should be enabled for Virtual Machines None Yes BR-2 nan nan nan nan nan 1699.09l1Organizational.10 - 09.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json 013e242c-8828-4970-87b3-ab247555486d
Backup Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Required No nan nan nan nan nan nan nan nan enableDoubleEncryption https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json 2e94d99a-8a36-4563-bc77-810d8893b671
Backup Azure Recovery Services vaults should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Backup/RecoveryServices_PrivateEndpoint_Audit.json deeddb44-9f94-4903-9fa0-081d524406e3
Batch Azure Batch account should use customer-managed keys to encrypt data None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_CustomerManagedKey_Audit.json 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a
Batch Metric alert rules should be configured on Batch accounts Required Yes nan nan nan nan nan nan nan nan metricName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_AuditMetricAlerts_Audit.json 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7
Batch Private endpoint connections on Batch accounts should be enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json 009a0c92-f5b4-4776-9b66-4ed2b4775563
Batch Public network access should be disabled for Batch accounts None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_DisablePublicNetworkAccess_Audit.json 74c5a0ae-5e48-4738-b093-65e23a060488
Batch Resource logs in Batch accounts should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1205.09aa2System.1 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json 428256e6-1fac-4f48-a757-df34c2b3336d
Bot Service Bot Service endpoint should be a valid HTTPS URI None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Bot%20Service/BotService_ValidEndpoint_Audit.json 6164527b-e1ee-4882-8673-572f425f5e0a
Bot Service Bot Service should be encrypted with a customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Bot%20Service/BotService_CMKEnabled_Audit.json 51522a96-0869-4791-82f3-981000c2c67f
Bot Service Bot Service should have isolated mode enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Bot%20Service/BotService_NetworkIsolatedEnabled_Audit.json 52152f42-0dda-40d9-976e-abb1acdd611e
Cache Azure Cache for Redis should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cache/RedisCache_PublicNetworkAccess_AuditDeny.json 470baccb-7e51-4549-8b1a-3e5be069f663
Cache Azure Cache for Redis should reside within a virtual network None No NS-2 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json 7d092e0a-7acd-40d2-a975-dca21cae48c4
Cache Azure Cache for Redis should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json 7803067c-7d34-46e3-8c79-0ca68fc4036d
Cache Only secure connections to your Azure Cache for Redis should be enabled None No DP-4 nan nan A.13.2.1 SC-8 (1) 3.13.8 0946.09y2Organizational.14 - 09.y DM-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json 22bee202-a82f-4305-9a2a-6d7f44d4dedb
Cognitive Services Cognitive Services accounts should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json 0725b4dd-7e76-479c-a735-68e7ee23d5ca
Cognitive Services Cognitive Services accounts should enable data encryption with a customer-managed key None No DP-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json 67121cc7-ff39-4ab8-b7e3-95b84dab487d
Cognitive Services Cognitive Services accounts should have local authentication methods disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json 71ef260a-8f18-47b7-abcb-62d0673d94dc
Cognitive Services Cognitive Services accounts should restrict network access None No NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json 037eea7a-bd0a-46c5-9a66-03aea78705d3
Cognitive Services Cognitive Services accounts should use a managed identity None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_ManagedIdentity_Audit.json fe3fd216-4f83-4fc1-8984-2bbec80a3418
Cognitive Services Cognitive Services accounts should use customer owned storage None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_UserOwnedStorage_Audit.json 46aa9b05-0e60-4eae-a88b-1e9d374fa515
Cognitive Services Cognitive Services should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json cddd188c-4b82-4c48-a19d-ddf74ee66a01
Compute Allowed virtual machine size SKUs Required No nan nan nan nan nan nan nan nan listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/VMSkusAllowed_Deny.json cccc23c7-8427-4f53-ad12-b6a63eb452b3
Compute Audit VMs that do not use managed disks None Yes nan 7.1 nan A.9.1.2 nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json 06a78e20-9358-41c9-923c-fb736d382a4d
Compute Audit virtual machines without disaster recovery configured None Yes nan nan nan nan CP-7 nan 1638.12b2Organizational.345 - 12.b ESS-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56
Compute Disk access resources should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json f39f5f49-4abf-44de-8c70-0756997bfb51
Compute Managed disks should be double encrypted with both platform-managed and customer-managed keys None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/DoubleEncryptionRequired_Deny.json ca91455f-eace-4f96-be59-e6e2c35b4816
Compute Managed disks should disable public network access None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/Disks_ExportLimitNetworkAccess_Audit.json 8405fdab-1faf-48aa-b702-999c9c172094
Compute Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Required No nan nan nan nan nan nan nan nan allowedEncryptionSets https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/ManagedDiskEncryptionSetsAllowed_Deny.json d461a302-a187-421a-89ac-84acdb4edc04
Compute Microsoft Antimalware for Azure should be configured to automatically update protection signatures None Yes nan nan nan nan nan nan 0201.09j1Organizational.124 - 09.j nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json c43e4a30-77cb-48ab-a4dd-93f175c63b57
Compute Microsoft IaaSAntimalware extension should be deployed on Windows servers None Yes nan nan nan nan nan 3.14.2 nan SS-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json 9b597639-28e4-48eb-b506-56b05d366257
Compute OS and data disks should be encrypted with a customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/OSAndDataDiskCMKRequired_Deny.json 702dd420-7fcc-42c5-afe8-4026edd20fe0
Compute Only approved VM extensions should be installed Required No nan 7.4 nan nan nan nan nan nan approvedExtensions https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json c0e996f8-39cf-4af9-9f45-83fbde810432
Compute Require automatic OS image patching on Virtual Machine Scale Sets None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/VMSSOSUpgradeHealthCheck_Deny.json 465f0161-0087-490a-9ad9-ad6217f4f43a
Compute Resource logs in Virtual Machine Scale Sets should be enabled Required Yes LT-4 5.3 nan nan nan nan 1206.09aa2System.23 - 09.aa nan includeAKSClusters https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json 7c1b1214-f927-48bf-8882-84f0af6588b1
Compute Unattached disks should be encrypted None Yes nan 7.3 nan nan nan nan 0303.09o2Organizational.2 - 09.o nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json 2c89a2e5-7285-40fe-afe0-ae8654b92fb2
Compute Virtual machines and virtual machine scale sets should have encryption at host enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/HostBasedEncryptionRequired_Deny.json fc4d8e41-e223-45ea-9bf5-eada37891d87
Compute Virtual machines should be migrated to new Azure Resource Manager resources None No AM-3 nan nan A.9.1.2 nan nan 0835.09n1Organizational.1 - 09.n nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json 1d84d5fb-01f6-4d12-ba4f-4a26081d403d
Container Instance Azure Container Instance container group should deploy into a virtual network None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Container%20Instance/ContainerInstance_VNET_Audit.json 8af8f826-edcb-4178-b35f-851ea6fea615
Container Instance Azure Container Instance container group should use customer-managed key for encryption None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Container%20Instance/ContainerInstance_CMK_Audit.json 0aa61e00-0a01-4a3c-9945-e93cffedf0e6
Container Registry Container registries should be encrypted with a customer-managed key None No DP-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580
Container Registry Container registries should have SKUs that support Private Links None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_SkuSupportsPrivateEndpoints_AuditDeny.json bd560fc0-3c69-498a-ae9f-aa8eb7de0e13
Container Registry Container registries should have local authentication methods disabled. None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_AuditDeny.json dc921057-6b28-4fbe-9b83-f7bec05db6c2
Container Registry Container registries should not allow unrestricted network access None No NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json d0793b48-0edc-4296-a390-4c75d1bdfd71
Container Registry Container registries should use private link None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json e8eef0a8-67cf-4eb4-9386-14b0e78733d4
Container Registry Public network access should be disabled for Container registries None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PublicNetworkAccess_AuditDeny.json 0fdf0491-d080-4575-b627-ad0e843cba0f
Cosmos DB Azure Cosmos DB accounts should have firewall rules None No NS-4 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
Cosmos DB Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest None No DP-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json 1f905d99-2ab7-462c-a6b0-f709acca6c8f
Cosmos DB Azure Cosmos DB allowed locations Required Yes nan nan nan nan nan nan nan nan listOfAllowedLocations, policyEffect https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_Locations_Deny.json 0473574d-2d43-4217-aefe-941fcdf7e684
Cosmos DB Azure Cosmos DB should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json 797b37f7-06b8-444c-b1ad-fc62867f335a
Cosmos DB Azure Cosmos DB throughput should be limited Required No nan nan nan nan nan nan nan nan throughputMax https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_MaxThroughput_Deny.json 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf
Cosmos DB Cosmos DB database accounts should have local authentication methods disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_DisableLocalAuth_AuditDeny.json 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2
Cosmos DB CosmosDB accounts should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json 58440f8a-10c5-4151-bdce-dfbaad4a20b7
Data Box Azure Data Box jobs should enable double encryption for data at rest on the device Optional No nan nan nan nan nan nan nan nan supportedSKUs https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json c349d81b-9985-44ae-a8da-ff98d108ede8
Data Box Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Optional No nan nan nan nan nan nan nan nan supportedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_CMK_Audit.json 86efb160-8de7-451d-bc08-5d475b0aadae
Data Factory Azure Data Factory integration runtime should have a limit for number of cores Optional No nan nan nan nan nan nan nan nan maxCores https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/IR_Core_Count_Exceeds_Audit.json 85bb39b5-2f66-49f8-9306-77da3ac5130f
Data Factory Azure Data Factory linked service resource type should be in allow list Required No nan nan nan nan nan nan nan nan allowedLinkedServiceResourceTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/LinkedService_ResourceType_Audit.json 6809a3d0-d354-42fb-b955-783d207c62a8
Data Factory Azure Data Factory linked services should use Key Vault for storing secrets None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/LinkedService_InlineSecrets_Audit.json 127ef6d7-242f-43b3-9eef-947faf1725d0
Data Factory Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/LinkedService_All_Auth_Audit_except_MSI.json f78ccdb4-7bf4-4106-8647-270491d2978a
Data Factory Azure Data Factory should use a Git repository for source control None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/Factory_None_GIT_Audit.json 77d40665-3120-4348-b539-3192ec808307
Data Factory Azure Data Factory should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/DataFactory_PrivateEndpoints_Audit.json 8b0323be-cc25-4b61-935d-002c3798c6ea
Data Factory Azure data factories should be encrypted with a customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/DataFactory_CustomerManagedKey_Audit.json 4ec52d6d-beb7-40c4-9a9e-fe753254690e
Data Factory Public network access on Azure Data Factory should be disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/DataFactory_PublicNetworkAccess_Audit.json 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6
Data Factory SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/SSISIR_JoinVirtualNetwork_Audit.json 0088bc63-6dee-4a9c-9d29-91cfdc848952
Data Lake Require encryption on Data Lake Store accounts None No nan nan nan nan nan nan 0304.09o3Organizational.1 - 09.o nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json a7ff3161-0087-490a-9ad9-ad6217f4f43a
Data Lake Resource logs in Azure Data Lake Store should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1202.09aa1System.1 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json 057ef27e-665e-4328-8ea3-04b3122bd9fb
Data Lake Resource logs in Data Lake Analytics should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1210.09aa3System.3 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json c95c74d9-38fe-4f0d-af86-0c7d626a315c
Event Grid Azure Event Grid domains should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PublicNetworkAccess_AuditDeny.json f8f774be-6aee-492a-9e29-486ef81f3a68
Event Grid Azure Event Grid domains should use private link None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json 9830b652-8523-49cc-b1b3-e17dce1127ca
Event Grid Azure Event Grid topics should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PublicNetworkAccess_AuditDeny.json 1adadefe-5f21-44f7-b931-a59b54ccdb45
Event Grid Azure Event Grid topics should use private link None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json 4b90e17e-8448-49db-875e-bd83fb6f804f
Event Hub All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditNamespaceAccessRules_Audit.json b278e460-7cfc-4451-8294-cccc40a940d7
Event Hub Authorization rules on the Event Hub instance should be defined None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditEventHubAccessRules_Audit.json f4826e5f-6a27-407c-ae3e-9582eb39891d
Event Hub Event Hub namespaces should have double encryption enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_InfrastructureEncryptionEnabled_Audit.json 836cd60e-87f3-4e6a-a27c-29d687f01a4c
Event Hub Event Hub namespaces should use a customer-managed key for encryption None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_CustomerManagedKeyEnabled_Audit.json a1ad735a-e96f-45d2-a7b2-9a4932cab7ec
Event Hub Event Hub namespaces should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json b8564268-eb4a-4337-89be-a19db070c59d
Event Hub Resource logs in Event Hub should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1207.09aa2System.4 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json 83a214f7-d01a-484b-91a9-ed54470c9a6a
General Allowed locations Required No nan nan nan nan nan nan nan ESS-2 listOfAllowedLocations https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json e56962a6-4747-49cd-b67b-bf8b01975c4c
General Allowed locations for resource groups Required No nan nan nan nan nan nan nan ESS-2 listOfAllowedLocations https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json e765b5de-1225-4ba3-bd56-1ac6695af988
General Allowed resource types Required No nan nan nan nan nan nan nan nan listOfResourceTypesAllowed https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/AllowedResourceTypes_Deny.json a08ec900-254a-4555-9bf5-e42af04b5c5c
General Audit resource location matches resource group location None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/ResourcesInResourceGroupLocation_Audit.json 0a914e76-4921-4c19-b460-a2d36003525a
General Audit usage of custom RBAC rules None Yes PA-7 nan nan A.9.2.3 AC-2 (7) nan 1230.09c2Organizational.1 - 09.c nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json a451c1ef-c6ca-483d-87ed-f49761e3ffb5
General Custom subscription owner roles should not exist None Yes PA-7 1.21 nan nan nan nan 1278.09c2Organizational.56 - 09.c nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9
General Not allowed resource types Required No nan nan nan nan nan nan nan nan listOfResourceTypesNotAllowed https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/InvalidResourceTypes_Deny.json 6c112d4e-5bc7-47ae-a041-ea2d9dccd749
HDInsight Azure HDInsight clusters should be injected into a virtual network None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/HDInsight/HDInsight_VNETInjection_Audit.json b0ab5b05-1c98-40f7-bb9e-dc568e41b501
HDInsight Azure HDInsight clusters should use customer-managed keys to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/HDInsight/HDInsight_CMK_Audit.json 64d314f6-6062-4780-a861-c23e8951bee5
HDInsight Azure HDInsight clusters should use encryption at host to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/HDInsight/HDInsight_EncryptionAtHost_Audit.json 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6
HDInsight Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/HDInsight/HDInsight_EncryptionInTransit_Audit.json d9da03a1-f3c3-412a-9709-947156872263
Internet of Things Azure IoT Hub should use customer-managed key to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IotHub_CMKEncryptionEnabled.json 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54
Internet of Things IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_CMKEncryptionEnabled_AuditDeny.json 47031206-ce96-41f8-861b-6a915f3de284
Internet of Things IoT Hub device provisioning service instances should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_DisablePublicNetworkAccess_AuditDeny.json d82101f3-f3ce-4fc5-8708-4c09f4009546
Internet of Things IoT Hub device provisioning service instances should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json df39c015-56a4-45de-b4a3-efe77bed320d
Internet of Things Private endpoint should be enabled for IoT Hub None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_EnablePrivateEndpoint_Audit.json 0d40b058-9f95-4a19-93e3-9b0330baa2a3
Internet of Things Public network access on Azure IoT Hub should be disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_DisablePublicNetworkAccess_AuditDeny.json 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb
Internet of Things Resource logs in IoT Hub should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1204.09aa1System.3 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json 383856f8-de7f-44a2-81fc-e5135b5c2aa4
Key Vault Azure Key Vault Managed HSM should have purge protection enabled None No nan nan nan nan nan nan 1635.12b1Organizational.2 - 12.b nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json c39ba22d-4428-4149-b981-70acb31fc383
Key Vault Azure Key Vault should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json 55615ac9-af46-4a59-874e-391cc3dfb490
Key Vault Azure Key Vaults should use private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_PrivateEndpoint_Audit.json a6abeaec-4d90-4a02-805f-6b26c4d3fbe9
Key Vault Certificates should be issued by the specified integrated certificate authority Optional No nan nan nan nan nan nan nan nan allowedCAs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_SupportedCAs.json 8e826246-c976-48f6-b03e-619bb92b3d82
Key Vault Certificates should be issued by the specified non-integrated certificate authority Required No nan nan nan nan nan nan nan nan caCommonName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_CustomCAs.json a22f4a40-01d3-4c7d-8071-da157eeff341
Key Vault Certificates should have the specified lifetime action triggers Required No nan nan nan nan nan nan nan nan maximumPercentageLife, minimumDaysBeforeExpiry https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_LifetimeAction.json 12ef42cb-9903-4e39-9c26-422d29570417
Key Vault Certificates should have the specified maximum validity period Optional No nan nan nan nan nan nan nan nan maximumValidityInMonths https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json 0a075868-4c26-42ef-914c-5bc007359560
Key Vault Certificates should not expire within the specified number of days Required No nan nan nan nan nan nan nan nan daysToExpire https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Expiry_ByDays.json f772fb64-8e40-40ad-87bc-7706e1949427
Key Vault Certificates should use allowed key types Optional No nan nan nan nan nan nan nan nan allowedKeyTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_AllowedKeyTypes.json 1151cede-290b-4ba0-8b38-0ad145ac888f
Key Vault Certificates using RSA cryptography should have the specified minimum key size Required No nan nan nan nan nan nan nan nan minimumRSAKeySize https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json cee51871-e572-4576-855c-047c820360f0
Key Vault Certificates using elliptic curve cryptography should have allowed curve names Optional No nan nan nan nan nan nan nan nan allowedECNames https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_EC_AllowedCurveNames.json bd78111f-4953-4367-9fd5-7e08808b54bf
Key Vault Key Vault keys should have an expiration date None No nan 8.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
Key Vault Key Vault secrets should have an expiration date None No nan 8.2 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json 98728c90-32c7-4049-8429-847dc0f4fe37
Key Vault Key vaults should have purge protection enabled None No BR-4 8.4 nan nan nan nan 1635.12b1Organizational.2 - 12.b nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53
Key Vault Key vaults should have soft delete enabled None No BR-4 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d
Key Vault Keys should be backed by a hardware security module (HSM) None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_HSMBacked.json 587c79fe-dd04-4a5e-9d0b-f89598c7261b
Key Vault Keys should be the specified cryptographic type RSA or EC Optional No nan nan nan nan nan nan nan nan allowedKeyTypes https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json 75c4f823-d65c-4f29-a733-01d0077fdbcb
Key Vault Keys should have more than the specified number of days before expiration Required No nan nan nan nan nan nan nan nan minimumDaysBeforeExpiration https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_Expiry_ByDays.json 5ff38825-c5d8-47c5-b70e-069a21955146
Key Vault Keys should have the specified maximum validity period Required No nan nan nan nan nan nan nan nan maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ValidityPeriod.json 49a22571-d204-4c91-a7b6-09b1a586fbc9
Key Vault Keys should not be active for longer than the specified number of days Required No nan nan nan nan nan nan nan nan maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ActivePeriod.json c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Key Vault Keys using RSA cryptography should have a specified minimum key size Required No nan nan nan nan nan nan nan nan minimumRSAKeySize https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json 82067dbb-e53b-4e06-b631-546d197452d9
Key Vault Keys using elliptic curve cryptography should have the specified curve names Optional No nan nan nan nan nan nan nan nan allowedECNames https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json ff25f3c8-b739-4538-9d07-3d6d25cfb255
Key Vault Private endpoint should be configured for Key Vault None No NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json 5f0bc445-3935-4915-9981-011aa2b46147
Key Vault Resource logs in Azure Key Vault Managed HSM should be enabled Optional Yes nan nan nan nan nan nan 1211.09aa3System.4 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json a2a5b911-5617-447e-a49e-59dbe0e0434b
Key Vault Resource logs in Key Vault should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1211.09aa3System.4 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json cf820ca0-f99e-4f3e-84fb-66e913812d21
Key Vault Secrets should have content type set None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ContentTypeSet.json 75262d3e-ba4a-4f43-85f8-9f72c090e5e3
Key Vault Secrets should have more than the specified number of days before expiration Required No nan nan nan nan nan nan nan nan minimumDaysBeforeExpiration https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_Expiry_ByDays.json b0eb591a-5e70-4534-a8bf-04b9c489584a
Key Vault Secrets should have the specified maximum validity period Required No nan nan nan nan nan nan nan nan maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ValidityPeriod.json 342e8053-e12e-4c44-be01-c3c2f318400f
Key Vault Secrets should not be active for longer than the specified number of days Required No nan nan nan nan nan nan nan nan maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ActivePeriod.json e8d99835-8a06-45ae-a8e0-87a91941ccfe
Kubernetes Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json 8dfab9c4-fe7b-49ad-85e4-1e9be085358f
Kubernetes Azure Kubernetes Service Private Clusters should be enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AKS_PrivateCluster_Deny.json 040732e8-d947-40b8-95d6-854c95024bf8
Kubernetes Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters None Yes PV-2 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json 0a15ec92-a229-4763-bb14-0ea34a568f8d
Kubernetes Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json 7d7be79c-23ba-4033-84dd-45e2a5ccdd67
Kubernetes Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json e345eecc-fa47-480f-9e88-67dcc122b164
Kubernetes Kubernetes cluster containers should not share host process ID or host IPC namespace Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
Kubernetes Kubernetes cluster containers should not use forbidden sysctl interfaces Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, forbiddenSysctls https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json 56d0a13f-712f-466b-8416-56fb354fb823
Kubernetes Kubernetes cluster containers should only listen on allowed ports Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPorts.json 440b515e-a580-421e-abeb-b159a61ddcbc
Kubernetes Kubernetes cluster containers should only use allowed AppArmor profiles Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedProfiles https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json 511f5417-5d12-434d-ab2e-816901e72a5e
Kubernetes Kubernetes cluster containers should only use allowed ProcMountType Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, procMountType https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json f85eb0dd-92ee-40e9-8a76-db25a507d6d3
Kubernetes Kubernetes cluster containers should only use allowed capabilities Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json c26596ff-4d70-4e6a-9a30-c2506bd2f80c
Kubernetes Kubernetes cluster containers should only use allowed images Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json febd0533-8e55-448f-b837-bd0e06f16469
Kubernetes Kubernetes cluster containers should only use allowed seccomp profiles Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedProfiles https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json 975ce327-682c-4f2e-aa46-b9598289b86c
Kubernetes Kubernetes cluster containers should run with a read only root file system Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json df49d893-a74c-421d-bc95-c663042e5b80
Kubernetes Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json f4a8fce0-2dd5-4c21-9a36-8f0ec809d663
Kubernetes Kubernetes cluster pod hostPath volumes should only use allowed host paths Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedHostPaths https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json 098fc59e-46c7-4d99-9b16-64990e543d75
Kubernetes Kubernetes cluster pods and containers should only run with approved user and group IDs Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json f06ddb64-5fa3-4b77-b166-acb36f7f6042
Kubernetes Kubernetes cluster pods and containers should only use allowed SELinux options Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json e1e6c427-07d9-46ab-9689-bfa85431e636
Kubernetes Kubernetes cluster pods should only use allowed volume types Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json 16697877-1118-4fb1-9b65-9898ec2509ec
Kubernetes Kubernetes cluster pods should only use approved host network and port range Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
Kubernetes Kubernetes cluster pods should use specified labels Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, labelsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json 46592696-4c7b-4bf3-9e45-6c2763bdc0a6
Kubernetes Kubernetes cluster services should listen only on allowed ports Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedServicePortsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json 233a2a17-77ca-4fb1-9b6b-69223d272a44
Kubernetes Kubernetes cluster services should only use allowed external IPs Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, allowedExternalIPs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json d46c275d-1680-448d-b2ec-e495a3b6cc89
Kubernetes Kubernetes cluster should not allow privileged containers Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, excludedContainers https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json 95edb821-ddaf-4404-9732-666045e056b4
Kubernetes Kubernetes clusters should be accessible only over HTTPS Required No DP-4 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d
Kubernetes Kubernetes clusters should disable automounting API credentials Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json 423dd1ba-798e-40e4-9c4d-b6902674b423
Kubernetes Kubernetes clusters should not allow container privilege escalation Required No PV-2 nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
Kubernetes Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json d2e7ea85-6b44-4317-a0be-1b951587f626
Kubernetes Kubernetes clusters should not use specific security capabilities Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector, disallowedCapabilities https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json a27c700f-8a22-44ec-961c-41625264370b
Kubernetes Kubernetes clusters should not use the default namespace Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json 9f061a12-e40d-4183-a00e-171812443373
Kubernetes Kubernetes clusters should use internal load balancers Required No nan nan nan nan nan nan nan nan excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e
Kubernetes Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AKS_EncryptionAtHost_Deny.json 41425d9f-d1a5-499a-9932-f8ed8453932c
Lighthouse Allow managing tenant ids to onboard through Azure Lighthouse Required No nan nan nan nan nan nan nan nan listOfAllowedTenants https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Lighthouse/AllowCertainManagingTenantIds_Deny.json 7a8a51a3-ad87-4def-96f3-65a1839242b6
Lighthouse Audit delegation of scopes to a managing tenant None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Lighthouse/Lighthouse_Delegations_Audit.json 76bed37b-484f-430f-a009-fd7592dff818
Logic Apps Logic Apps Integration Service Environment should be encrypted with customer-managed keys None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_ISEWithCustomerManagedKey_AuditDeny.json 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5
Logic Apps Logic Apps should be deployed into Integration Service Environment None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_LogicAppsInISE_AuditDeny.json dc595cb1-1cde-45f6-8faf-f88874e1c0e1
Logic Apps Resource logs in Logic Apps should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1203.09aa1System.2 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json 34f95f76-5386-4de7-b824-0d8478470c9d
Machine Learning Azure Machine Learning workspaces should be encrypted with a customer-managed key None No DP-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json ba769a63-b8cc-4b2d-abf6-ac33c7204be8
Machine Learning Azure Machine Learning workspaces should use private link None No NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json 40cec1dd-a100-4920-b15b-3024fe8901ab
Machine Learning Azure Machine Learning workspaces should use user-assigned managed identity None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_UAIEnabled_Audit.json 5f0c7d88-c7de-45b8-ac49-db49e72eaa78
Machine Learning Configure allowed Python packages for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, allowedPythonPackageChannels https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedPythonPackageChannels_EnforceSetting.json 77eeea86-7e81-4a7d-9067-de844d096752
Machine Learning Configure allowed module authors for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, allowedModuleAuthors https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedModuleAuthors_EnforceSetting.json 53c70b02-63dd-11ea-bc55-0242ac130003
Machine Learning Configure allowed registries for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, allowedACRs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedACRs_EnforceSetting.json 5853517a-63de-11ea-bc55-0242ac130003
Machine Learning Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, approvalEndpoint https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/ApprovalEndpoint_EnforceSetting.json 3948394e-63de-11ea-bc55-0242ac130003
Machine Learning Configure code signing for training code for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, signingKey https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedSigningKey_EnforceSetting.json 6a6f7384-63de-11ea-bc55-0242ac130003
Machine Learning Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Required No nan nan nan nan nan nan nan nan computeNames, computeType, isIsolatedNetwork, logFilters, datastore https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedLogFilter_EnforceSetting.json 1d413020-63de-11ea-bc55-0242ac130003
Machine Learning Machine Learning computes should have local authentication methods disabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f
Managed Application Application definition for Managed Application should use customer provided storage account None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Managed%20Application/ApplicationDefinition_Missing_StorageAccount_Deny.json 9db7917b-1607-4e7d-a689-bca978dd0633
Media Services Azure Media Services accounts should use an API that supports Private Link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/MediaServices_RequirePrivateLinkSupport_Audit.json a77d8bb4-8d22-4bc1-a884-f582a705b480
Media Services Azure Media Services accounts that allow access to the legacy v2 API should be blocked None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/MediaServices_BlockRestV2_Audit.json ccf93279-9c91-4143-a841-8d1f21505455
Media Services Azure Media Services content key policies should use token authentication Required No nan nan nan nan nan nan nan nan openIdConnectDiscoveryDocument, issuer, audience https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/ContentKeyPolicies_RequireTokenAuth_Audit.json daccf7e4-9808-470c-a848-1c5b582a1afb
Media Services Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Required No nan nan nan nan nan nan nan nan allowedJobInputHttpUriPatterns https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/Jobs_RestrictHttpInputs.json e9914afe-31cd-4b8a-92fa-c887f847d477
Media Services Azure Media Services should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/MediaServices_PrivateLink_AuditIfNotExists.json 4a591bf5-918e-4a5f-8dad-841863140d61
Monitoring Activity log should be retained for at least one year None Yes nan nan nan nan nan nan nan AC-15 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json b02aacc0-b073-424e-8298-42b22829ee0a
Monitoring An activity log alert should exist for specific Administrative operations Required Yes nan 5.2.9 nan nan nan nan 1271.09ad1System.1 - 09.ad nan operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json b954148f-4c11-4c38-8221-be76711e194a
Monitoring An activity log alert should exist for specific Policy operations Required Yes nan 5.2.2 nan nan nan nan nan nan operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json c5447c04-a4d7-4ba8-a263-c9ee321a6858
Monitoring An activity log alert should exist for specific Security operations Required Yes nan 5.2.8 nan nan nan nan nan nan operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json 3b980d31-7904-4bb7-8575-5665739a8052
Monitoring Application Insights components should block log ingestion and querying from public networks None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/ApplicationInsightsComponents_NetworkAccessEnabled_Deny.json 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8
Monitoring Application Insights components should block non-Azure Active Directory based ingestion. None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/ApplicationInsightsComponents_DisableLocalAuth_Deny.json 199d5677-e4d9-4264-9465-efe1839c06bd
Monitoring Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/ApplicationInsightsComponents_ForceCustomerStorageForProfiler_Deny.json 0c4bd2e8-8872-4f37-a654-03f6f38ddc76
Monitoring Audit diagnostic setting Required Yes nan nan nan A.12.4.4 AU-12 3.3.4 1210.09aa3System.3 - 09.aa DM-6 listOfResourceTypes https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json 7f89b1eb-583c-429a-8828-af049802c1d9
Monitoring Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/ScheduledQueryRules_CMKEnabled_Deny.json 94c1f94d-33b0-4062-bd04-1cdc3e7eece2
Monitoring Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json ea0dfaed-95fb-448c-934e-d6e713ce393d
Monitoring Azure Monitor Logs clusters should be encrypted with customer-managed key None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json 1f68a601-6e6d-4e42-babf-3f643a047ea2
Monitoring Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/ApplicationInsightsComponent_WorkspaceAssociation_Deny.json d550e854-df1a-4de9-bf44-cd894b39a95e
Monitoring Azure Monitor Private Link Scope should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitorPrivateLinkScopes_PrivateEndpoints_Audit.json 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6
Monitoring Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' None Yes nan nan nan nan nan nan 1219.09ab3System.10 - 09.ab nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json 1a4e592a-6a6e-44a5-9814-e36264ca96e7
Monitoring Azure Monitor should collect activity logs from all regions None Yes nan nan nan nan nan nan 1214.09ab2System.3456 - 09.ab nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9
Monitoring Azure Monitor solution 'Security and Audit' must be deployed None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/Security_Audit_MustBeDeployed.json 3e596b57-105f-48a6-be97-03e9243bad6e
Monitoring Azure subscriptions should have a log profile for Activity Log None Yes nan nan nan nan nan nan nan AC-13 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json 7796937f-307b-4598-941c-67d3a05ebfe7
Monitoring Dependency agent should be enabled for listed virtual machine images Required Yes nan nan nan nan nan nan nan nan listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json 11ac78e3-31bc-4f0c-8434-37ab963cea07
Monitoring Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Required Yes nan nan nan nan nan nan nan nan listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json e2dd799a-a932-4e9d-ac17-d473bc3c6c10
Monitoring Log Analytics Agent should be enabled for listed virtual machine images Required Yes nan nan nan nan nan nan nan nan listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json 32133ab0-ee4b-4b44-98d6-042180979d50
Monitoring Log Analytics Workspaces should block non-Azure Active Directory based ingestion. None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_DisableLocalAuth_Deny.json e15effd4-2278-4c65-a0da-4d6f6d1890e2
Monitoring Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Required Yes nan nan nan nan nan nan nan nan listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138
Monitoring Log Analytics agent should be installed on your Linux Azure Arc machines None Yes LT-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json 842c54e8-c2f9-4d79-ae8d-38d8b8019373
Monitoring Log Analytics agent should be installed on your Windows Azure Arc machines None Yes LT-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e
Monitoring Log Analytics workspaces should block log ingestion and querying from public networks None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_NetworkAccessEnabled_Deny.json 6c53d030-cc64-46f0-906d-2bc061cd1334
Monitoring Network traffic data collection agent should be installed on Linux virtual machines None Yes LT-3 nan nan nan nan nan 0885.09n2Organizational.3 - 09.n nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json 04c4380f-3fae-46e8-96c9-30193528f602
Monitoring Network traffic data collection agent should be installed on Windows virtual machines None Yes LT-3 nan nan nan nan nan 0887.09n2Organizational.5 - 09.n nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json 2f2ee1de-44aa-4762-b6bd-0893fc3f306d
Monitoring Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_CMKBYOSQueryEnabled_Deny.json fa298e57-9444-42ba-bf04-86e8470e32c7
Monitoring Storage account containing the container with activity logs must be encrypted with BYOK None Yes nan 5.1.4 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Monitoring The Log Analytics agent should be installed on Virtual Machine Scale Sets None Yes nan nan nan nan nan 3.3.2 1216.09ab3System.12 - 09.ab nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json efbde977-ba53-4479-b8e9-10b957924fbf
Monitoring The Log Analytics agent should be installed on virtual machines None Yes nan nan nan nan nan 3.3.2 1215.09ab2System.7 - 09.ab nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json a70ca396-0a34-413a-88e1-b956c1e683be
Monitoring Virtual machines should be connected to a specified workspace Required Yes nan nan nan nan nan nan nan nan logAnalyticsWorkspaceId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json f47b5582-33ec-4c5c-87c0-b010a6b2e917
Monitoring Workbooks should be saved to storage accounts that you control None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/Workbooks_BYOSEnabled_Audit.json 6fc8115b-2008-441f-8c61-9b722c1e537f
Network A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections Required Yes nan nan nan nan nan nan nan nan IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_CustomIpSecPolicies_Audit.json 50b83b09-03da-41c1-b656-c293c914862b
Network All Internet traffic should be routed via your deployed Azure Firewall None Yes NS-5 nan nan nan nan nan nan NS-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json fc5e4038-4584-4632-8c85-c0448d374b2c
Network Azure VPN gateways should not use 'basic' SKU None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_BasicSKU_Audit.json e345b6c3-24bd-4c93-9bbb-7e5e49a17b78
Network Flow logs should be configured for every network security group None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json c251913d-7d24-4958-af87-478ed3b9ba41
Network Flow logs should be enabled for every network security group None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkWatcherFlowLog_Enabled_Audit.json 27960feb-a23c-4577-8d36-ef8b5f35e0be
Network Gateway subnets should not be configured with a network security group None No nan nan nan nan nan nan 0894.01m2Organizational.7 - 01.m nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json 35f9c03a-cc27-418e-9c0c-539ff999d010
Network Network Watcher flow logs should have traffic analytics enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_TrafficAnalytics_Audit.json 2f080164-9f4d-497e-9db6-416dc9f7b48a
Network Network Watcher should be enabled Required Yes LT-3 6.5 nan nan nan 3.14.6 0888.09n2Organizational.6 - 09.n nan listOfLocations, resourceGroupName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json b6e2945c-0b7b-40f5-9233-7a5323b5cdc6
Network Network interfaces should disable IP forwarding None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkIPForwardingNic_Deny.json 88c0b9da-ce96-4b03-9635-f29a937e2900
Network Network interfaces should not have public IPs None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/NetworkPublicIPNic_Deny.json 83a86a26-fd1f-447c-b59d-e51f44264114
Network RDP access from the Internet should be blocked None Yes NS-4 6.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json e372f825-a257-4fb8-9175-797a8a8627d6
Network SSH access from the Internet should be blocked None Yes NS-4 6.2 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json 2c89a2e5-7285-40fe-afe0-ae8654b92fab
Network Virtual machines should be connected to an approved virtual network Required No nan nan nan nan nan nan 0814.01n1Organizational.12 - 01.n nan virtualNetworkId https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json d416745a-506c-48b6-8ab1-83cb814bcaa3
Network Virtual networks should use specified virtual network gateway Required Yes nan nan nan nan nan nan nan nan virtualNetworkGatewayId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json f1776c76-f58c-4245-a8d0-2b207198dc8b
Network Web Application Firewall (WAF) should be enabled for Application Gateway None No NS-4 nan nan nan nan nan nan NS-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66
Network Web Application Firewall (WAF) should be enabled for Azure Front Door Service service None No NS-4 nan nan nan nan nan nan NS-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json 055aa869-bc98-4af8-bafc-23f1ab6ffe2c
Network Web Application Firewall (WAF) should use the specified mode for Application Gateway Optional No nan nan nan nan nan nan nan NS-7 modeRequirement https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json 12430be1-6cc8-4527-a9a8-e3d38f250096
Network Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Optional No nan nan nan nan nan nan nan NS-7 modeRequirement https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json 425bea59-a659-4cbb-8d31-34499bd030b8
Portal Shared dashboards should not have markdown tiles with inline content None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Portal/SharedDashboardInlineContent_Deny.json 04c655fe-0ac7-48ae-9a32-3a2e208c7624
SQL An Azure Active Directory administrator should be provisioned for SQL servers None Yes IM-1 4.4 nan A.9.2.3 AC-2 (7) nan nan DM-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json 1f314764-cb73-4fc9-b863-8eca98ac36e9
SQL Auditing on SQL server should be enabled Optional Yes LT-4 4.1.1 nan A.12.4.4 AU-12 3.3.4 1211.09aa3System.4 - 09.aa nan setting https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9
SQL Azure Defender for SQL should be enabled for unprotected Azure SQL servers None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
SQL Azure Defender for SQL should be enabled for unprotected SQL Managed Instances None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
SQL Azure SQL Database should have the minimal TLS version of 1.2 None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServer_MiniumTLSVersion_Audit.json 32e6bbec-16b6-44c2-be37-c5b672d103cf
SQL Connection throttling should be enabled for PostgreSQL database servers None Yes nan 4.3.6 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json 5345bb39-67dc-4960-a1bf-427e16b9a0bd
SQL Disconnections should be logged for PostgreSQL database servers. None Yes nan 4.3.5 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json eb6f77b9-bd53-4e35-a23d-7f65d5f0e446
SQL Enforce SSL connection should be enabled for MySQL database servers None Yes DP-4 4.3.1 nan nan nan nan 0948.09y2Organizational.3 - 09.y nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json e802a67a-daf5-4436-9ea6-f6d821dd0c5d
SQL Enforce SSL connection should be enabled for PostgreSQL database servers None Yes DP-4 4.3.2 nan nan nan nan 0947.09y2Organizational.2 - 09.y nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json d158790f-bfb0-486c-8631-2dc6b4e8e6af
SQL Geo-redundant backup should be enabled for Azure Database for MariaDB None Yes BR-2 nan nan nan nan nan 1627.09l3Organizational.6 - 09.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json 0ec47710-77ff-4a3d-9181-6aa50af424d0
SQL Geo-redundant backup should be enabled for Azure Database for MySQL None Yes BR-2 nan nan nan nan nan 1622.09l2Organizational.23 - 09.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json 82339799-d096-41ae-8538-b108becf0970
SQL Geo-redundant backup should be enabled for Azure Database for PostgreSQL None Yes BR-2 nan nan nan nan nan 1626.09l3Organizational.5 - 09.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json 48af4db5-9b8b-401c-8e74-076be876a430
SQL Infrastructure encryption should be enabled for Azure Database for MySQL servers None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json 3a58212a-c829-4f13-9872-6371df2fd0b4
SQL Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json 24fba194-95d6-48c0-aea7-f65bf859c598
SQL Log checkpoints should be enabled for PostgreSQL database servers None Yes nan 4.3.3 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d
SQL Log connections should be enabled for PostgreSQL database servers None Yes nan 4.3.4 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json eb6f77b9-bd53-4e35-a23d-7f65d5f0e442
SQL Log duration should be enabled for PostgreSQL database servers None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDuration_Audit.json eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3
SQL Long-term geo-redundant backup should be enabled for Azure SQL Databases None Yes BR-2 nan nan nan nan nan 1621.09l2Organizational.1 - 09.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json d38fc420-0735-4ef3-ac11-c806f651a570
SQL MySQL servers should use customer-managed keys to encrypt data at rest None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json 83cef61d-dbd1-4b20-a4fc-5fbc7da10833
SQL PostgreSQL servers should use customer-managed keys to encrypt data at rest None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json 18adea5e-f416-4d0f-8aa8-d24321e3e274
SQL Private endpoint connections on Azure SQL Database should be enabled None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json 7698e800-9299-47a6-b3b6-5a0fee576eed
SQL Private endpoint should be enabled for MariaDB servers None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json 0a1302fb-a631-4106-9753-f3d494733990
SQL Private endpoint should be enabled for MySQL servers None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json 7595c971-233d-4bcf-bd18-596129188c49
SQL Private endpoint should be enabled for PostgreSQL servers None Yes NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json 0564d078-92f5-4f97-8398-b9f58a51f70b
SQL Public network access on Azure SQL Database should be disabled None No NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json 1b8ca024-1d5c-4dec-8995-b1a932b41780
SQL Public network access should be disabled for MariaDB servers None Yes NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json fdccbe47-f3e3-4213-ad5d-ea459b2fa077
SQL Public network access should be disabled for MySQL flexible servers None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json c9299215-ae47-4f50-9c54-8a392f68a052
SQL Public network access should be disabled for MySQL servers None Yes NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json d9844e8a-1437-4aeb-a32c-0c992f056095
SQL Public network access should be disabled for PostgreSQL flexible servers None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48
SQL Public network access should be disabled for PostgreSQL servers None Yes NS-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json b52376f7-9612-48a1-81cd-1ffe4b61032c
SQL SQL Auditing settings should have Action-Groups configured to capture critical activities None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json 7ff426e2-515f-405a-91c8-4f2333442eb5
SQL SQL Database should avoid using GRS backup redundancy None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlDb_BlockGrsBackupRedundancy_Deny.json b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13
SQL SQL Managed Instance should have the minimal TLS version of 1.2 None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_MiniumTLSVersion_Audit.json a8793640-60f7-487c-b5c3-1d37215905c4
SQL SQL Managed Instances should avoid using GRS backup redundancy None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_BlockGrsBackupRedundancy_Deny.json a9934fd7-29f2-4e6d-ab3d-607ea38e9079
SQL SQL managed instances should use customer-managed keys to encrypt data at rest None Yes DP-5 4.5 nan nan nan nan 0304.09o3Organizational.1 - 09.o nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json 048248b0-55cd-46da-b1ff-39efd52db260
SQL SQL servers should use customer-managed keys to encrypt data at rest None Yes DP-5 4.5 nan nan nan nan 0304.09o3Organizational.1 - 09.o nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json 0d134df8-db83-46fb-ad72-fe0c9428c8dd
SQL SQL servers with auditing to storage account destination should be configured with 90 days retention or higher None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json 89099bee-89e0-4b26-a5f4-165451757743
SQL Transparent Data Encryption on SQL databases should be enabled None Yes DP-5 4.1.2 nan A.10.1.1 SC-28 (1) 3.13.16 0301.09o1Organizational.123 - 09.o DM-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json 17k78e20-9358-41c9-923c-fb736d382a12
SQL Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Required Yes nan nan nan nan nan nan nan nan subnetId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServer_VNetRules_Audit.json 77e8b146-0078-4fb2-b002-e112381199f0
SQL Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports None Yes nan 4.2.4 nan nan nan nan nan ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9
SQL Vulnerability assessment should be enabled on SQL Managed Instance None Yes PV-6 4.2.2 nan nan nan nan 0719.10m3Organizational.5 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json 1b7aa243-30e4-4c9e-bca8-d0d3022b634a
SQL Vulnerability assessment should be enabled on your SQL servers None Yes PV-6 4.2.2 nan nan nan nan 0709.10m1Organizational.1 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9
Search Azure Cognitive Search service should use a SKU that supports private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json a049bf77-880b-470f-ba6d-9f21c530cf83
Search Azure Cognitive Search services should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json ee980b6d-0eca-4501-8d54-f6290fd512c3
Search Azure Cognitive Search services should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Search/Search_PrivateEndpoints_Audit.json 0fda3595-9f2b-4592-8675-4231d6fa82fe
Search Resource logs in Search services should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1208.09aa3System.1 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json b4330a05-a843-4bc8-bf9a-cacce50c67f4
Security Center A maximum of 3 owners should be designated for your subscription None Yes PA-1 nan nan A.6.1.2 AC-6 (7) 3.1.4 11112.01q2Organizational.67 - 01.q AC-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json 4f11b553-d42e-4e3a-89be-32ca364cad4c
Security Center A vulnerability assessment solution should be enabled on your virtual machines None Yes PV-6 nan nan A.12.6.1 SI-2 3.14.1 0711.10m2Organizational.23 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json 501541f7-f7e7-4cd6-868c-4190fdad3ac9
Security Center Adaptive application controls for defining safe applications should be enabled on your machines None Yes AM-6 nan nan A.12.6.2 CM-11 3.4.9 0607.10h2System.23 - 10.h SS-4 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json 47a6b606-51aa-4496-8bb7-64b11cf66adc
Security Center Adaptive network hardening recommendations should be applied on internet facing virtual machines None Yes NS-4 nan nan nan SC-7 3.13.5 0859.09m1Organizational.78 - 09.m NS-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json 08e6af2d-db70-460a-bfe9-d5bd474ba9d6
Security Center All network ports should be restricted on network security groups associated to your virtual machine None Yes nan nan nan A.13.1.1 SC-7 3.13.5 0858.09m1Organizational.4 - 09.m nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json 9daedab3-fb2d-461e-b861-71790eead4f6
Security Center Allowlist rules in your adaptive application control policy should be updated None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json 123a3936-f020-408a-ba0c-47873faf1534
Security Center Authorized IP ranges should be defined on Kubernetes Services None Yes NS-4 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea
Security Center Auto provisioning of the Log Analytics agent should be enabled on your subscription None Yes LT-5 2.11 nan nan nan nan 1220.09ab3System.56 - 09.ab nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json 475aae12-b88a-4572-8b36-9b712b2b3a17
Security Center Azure DDoS Protection Standard should be enabled None Yes NS-4 nan nan nan SC-5 nan nan NS-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json a7aca53f-2ed4-4466-a25e-0b45ade68efd
Security Center Azure Defender for App Service should be enabled None Yes IR-5 2.2 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json 2913021d-f2fd-4f3d-b958-22354e2bdbcb
Security Center Azure Defender for Azure SQL Database servers should be enabled None Yes IR-5 2.3 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
Security Center Azure Defender for DNS should be enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json bdc59948-5574-49b3-bb91-76b7c986428d
Security Center Azure Defender for Key Vault should be enabled None Yes IR-5 2.8 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json 0e6763cc-5078-4e64-889d-ff4d9a839047
Security Center Azure Defender for Kubernetes should be enabled None Yes IR-5 2.6 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json 523b5cd1-3e23-492f-a539-13118b6d1e3a
Security Center Azure Defender for Resource Manager should be enabled None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json c3d20c29-b36d-48fe-808b-99a87530ad99
Security Center Azure Defender for SQL servers on machines should be enabled None Yes IR-5 2.4 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json 6581d072-105e-4418-827f-bd446d56421b
Security Center Azure Defender for Storage should be enabled None Yes IR-5 2.5 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json 308fbb08-4ab8-4e67-9b29-592e93fb94fa
Security Center Azure Defender for container registries should be enabled None Yes IR-5 2.7 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
Security Center Azure Defender for servers should be enabled None Yes ES-1 2.1 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json 4da35fc9-c9e7-4960-aec9-797fe7d9051d
Security Center Cloud Services (extended support) role instances should be configured securely None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_CsesOSVulnerabilities_Audit.json a0c11ca4-5828-4384-a2f2-fd7444dd5b4d
Security Center Cloud Services (extended support) role instances should have an endpoint protection solution installed None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_CsesMissingEndpointProtection_Audit.json 1e378679-f122-4a96-a739-a7729c46e1aa
Security Center Cloud Services (extended support) role instances should have system updates installed None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_CsesMissingSystemUpdates_Audit.json 4df26ba8-026d-45b0-9521-bffa44d741d2
Security Center Deprecated accounts should be removed from your subscription None Yes PA-3 nan nan A.9.2.6 AC-2 3.1.1 nan AC-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json 6b1cbf55-e8b6-442f-ba4c-7246b6381474
Security Center Deprecated accounts with owner permissions should be removed from your subscription None Yes PA-3 nan nan A.9.2.6 AC-2 3.1.1 1147.01c2System.456 - 01.c AC-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json ebb62a0c-3560-49e1-89ed-27e074e9f8ad
Security Center Email notification for high severity alerts should be enabled None Yes IR-2 2.14 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json 6e2593d9-add6-4083-9c9b-4b7d2188c899
Security Center Email notification to subscription owner for high severity alerts should be enabled None Yes IR-2 nan nan nan nan 3.14.6 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json 0b15565f-aa9e-48ba-8619-45960f2c314d
Security Center Endpoint protection solution should be installed on virtual machine scale sets None Yes ES-3 nan nan nan SI-3 (1) 3.14.2 0201.09j1Organizational.124 - 09.j DM-4 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json 26a828e1-e88f-464e-bbb3-c134a282b9de
Security Center External accounts with owner permissions should be removed from your subscription None Yes PA-3 1.3 nan A.9.2.5 AC-2 3.1.1 1146.01c2System.23 - 01.c PRS-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json f8456c1c-aa66-4dfb-861a-25d127b775c9
Security Center External accounts with read permissions should be removed from your subscription None Yes PA-3 1.3 nan nan AC-2 3.1.1 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json 5f76cf89-fbf2-47fd-a3f4-b891fa780b60
Security Center External accounts with write permissions should be removed from your subscription None Yes PA-3 1.3 nan A.9.2.5 AC-2 3.1.1 nan PRS-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json 5c607a2e-c700-4744-8254-d77e7c9eb5e4
Security Center Guest Attestation extension should be installed on supported Linux virtual machines None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVm_Audit.json 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff
Security Center Guest Attestation extension should be installed on supported Linux virtual machines scale sets None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVmss_Audit.json a21f8c92-9e22-4f09-b759-50500d1d2dda
Security Center Guest Attestation extension should be installed on supported Windows virtual machines None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVm_Audit.json 1cb4d9c2-f88f-4069-bee0-dba239a57b09
Security Center Guest Attestation extension should be installed on supported Windows virtual machines scale sets None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVmss_Audit.json f655e522-adff-494d-95c2-52d4f6d56a42
Security Center Guest Configuration extension should be installed on your machines None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json ae89ebca-1c92-4898-ac2c-9f63decb045c
Security Center IP Forwarding on your virtual machine should be disabled None Yes NS-4 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json bd352bd5-2853-4985-bf0d-73806b4a5744
Security Center Internet-facing virtual machines should be protected with network security groups None Yes NS-4 nan nan nan nan 3.13.5 0814.01n1Organizational.12 - 01.n NS-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json f6de0be7-9a8a-4b8a-b349-43cf02d22f7c
Security Center Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version None Yes PV-7 nan nan nan nan 3.14.1 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json fb893a29-21bb-418c-a157-e99480ec364c
Security Center Linux virtual machines should use Secure Boot None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableSecureBootOnLinuxVM_Audit.json b1bb3592-47b8-4150-8db0-bfdcc2c8965b
Security Center Log Analytics agent health issues should be resolved on your machines None Yes LT-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json d62cfe2b-3ab0-4d41-980d-76803b58ca65
Security Center Log Analytics agent should be installed on your Cloud Services (extended support) role instances None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnCSES.json 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554
Security Center Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring None Yes LT-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json a4fe33eb-e377-4efb-ab31-0784311bc499
Security Center Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring None Yes LT-5 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json a3a6ea0c-e018-4933-9ef0-5aaa1501449b
Security Center MFA should be enabled accounts with write permissions on your subscription None Yes IM-4 1.1 nan A.9.4.2 IA-2 (1) 3.5.3 11110.01q1Organizational.6 - 01.q AC-17 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json 9297c21d-2ed6-4474-b48f-163f75654ce3
Security Center MFA should be enabled on accounts with owner permissions on your subscription None Yes IM-4 1.1 nan A.9.4.2 IA-2 (1) 3.5.3 11109.01q1Organizational.57 - 01.q AC-17 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json aa633080-8b72-40c4-a2d7-d00c03e80bed
Security Center MFA should be enabled on accounts with read permissions on your subscription None Yes IM-4 1.2 nan A.9.4.2 IA-2 (2) 3.5.3 11111.01q2System.4 - 01.q AC-17 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json e3576e28-8b17-4677-84c3-db2990658d64
Security Center Management ports of virtual machines should be protected with just-in-time network access control None Yes NS-4 nan nan nan SC-7 (4) Ownership : Microsoft nan 0858.09m1Organizational.4 - 09.m AC-7 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json b0f33259-77d7-4c9e-aac6-3aabcfae693c
Security Center Management ports should be closed on your virtual machines None Yes NS-1 nan nan nan nan nan 1193.01l2Organizational.13 - 01.l nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json 22730e10-96f6-4aac-ad84-9383d35b5917
Security Center Monitor missing Endpoint Protection in Azure Security Center None Yes ES-3 7.6 nan A.12.6.1 SI-3 (1) 3.14.2 0201.09j1Organizational.124 - 09.j DM-4 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json af6cd1bd-1635-48cb-bde7-5b15693900b9
Security Center Non-internet-facing virtual machines should be protected with network security groups None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json bb91dfba-c30d-4263-9add-9c2384e659a6
Security Center Role-Based Access Control (RBAC) should be used on Kubernetes Services None Yes PA-7 8.5 nan nan nan nan 1229.09c1Organizational.1 - 09.c nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json ac4a19c2-fa67-49b4-8ae5-0b2e78c49457
Security Center SQL databases should have vulnerability findings resolved None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json feedbf84-6b99-488c-acc2-71c829aa5ffc
Security Center SQL servers on machines should have vulnerability findings resolved None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d
Security Center Secure Boot should be enabled on supported Windows virtual machines None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableWindowsSB_Audit.json 97566dd7-78ae-4997-8b36-1c7bfe0d8121
Security Center Security Center standard pricing tier should be selected None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json a1181c5f-672a-477a-979a-7d58aa086233
Security Center Sensitive data in your SQL databases should be classified None Yes DP-1 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349
Security Center Service principals should be used to protect your subscriptions instead of management certificates None Yes IM-2 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json 6646a0bd-e110-40ca-bb97-84fcee63c414
Security Center Subnets should be associated with a Network Security Group None Yes NS-4 nan nan nan nan nan 0814.01n1Organizational.12 - 01.n nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json e71308d3-144b-4262-b144-efdc3cc90517
Security Center Subscriptions should have a contact email address for security issues None Yes IR-2 2.13 nan nan nan 3.14.6 nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7
Security Center System updates on virtual machine scale sets should be installed None Yes PV-7 nan nan nan SI-2 3.14.1 1202.09aa1System.1 - 09.aa PRS-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json c3f317a7-a95c-4547-b7e7-11017ebdf2fe
Security Center System updates should be installed on your machines None Yes PV-7 7.5 nan A.12.6.1 SI-2 3.14.1 0201.09j1Organizational.124 - 09.j PRS-5 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json 86b3d65f-7626-441e-b690-81a8b71cff60
Security Center There should be more than one owner assigned to your subscription None Yes PA-1 nan nan A.6.1.2 AC-6 (7) 3.1.4 11208.01q1Organizational.8 - 01.q AC-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json 09024ccc-0c5f-475e-9457-b7c0d9ed487b
Security Center Virtual machines guest attestation status should be healthy None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_BootIntegrityAttestation_Audit.json f6358610-e532-4236-b178-4c65865eb262
Security Center Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json 0961003e-5a0a-4549-abde-af6a37f2724d
Security Center Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json d26f7642-7545-4e18-9b75-8c9bbdee3a9a
Security Center Vulnerabilities in Azure Container Registry images should be remediated None Yes PV-6 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json 5f0f936f-2f01-4bf5-b6be-d423792fa562
Security Center Vulnerabilities in container security configurations should be remediated None Yes PV-4 nan nan nan nan 3.11.2 0715.10m2Organizational.8 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json e8cbc669-f12d-49eb-93e7-9273119e9933
Security Center Vulnerabilities in security configuration on your machines should be remediated None Yes PV-4 nan nan A.12.6.1 SI-2 3.14.1 0718.10m3Organizational.34 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15
Security Center Vulnerabilities in security configuration on your virtual machine scale sets should be remediated None Yes PV-4 nan nan nan SI-2 3.14.1 0717.10m3Organizational.2 - 10.m ISM-3 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4
Security Center vTPM should be enabled on supported virtual machines None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableVTPM_Audit.json 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3
Service Bus All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditNamespaceAccessRules_Audit.json a1817ec0-a368-432a-8057-8371e17ac6ee
Service Bus Azure Service Bus namespaces should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_PrivateEndpoint_Audit.json 1c06e275-d63d-4540-b761-71f364c2111d
Service Bus Resource logs in Service Bus should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1208.09aa3System.1 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json f8d36e2f-389b-4ee4-898d-21aeb69a0f45
Service Bus Service Bus Premium namespaces should use a customer-managed key for encryption None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_CustomerManagedKeyEnabled_Audit.json 295fc8b1-dc9f-4f53-9c61-3f313ceab40a
Service Bus Service Bus namespaces should have double encryption enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_InfrastructureEncryptionEnabled_Audit.json ebaf4f25-a4e8-415f-86a8-42d9155bef0b
Service Fabric Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign None No DP-5 nan nan A.10.1.1 nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json 617c02be-7f02-4efd-8836-3180d47b6c68
Service Fabric Service Fabric clusters should only use Azure Active Directory for client authentication None No IM-1 nan nan A.9.2.3 AC-2 (7) nan nan AC-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json b54ed75b-3e1a-44ac-a333-05ba39b99ff0
SignalR Azure SignalR Service should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SignalR/SignalR_PublicNetworkAccessDisabled_AuditDeny.json 21a9766a-82a5-4747-abb5-650b6dbba6d0
SignalR Azure SignalR Service should use a Private Link enabled SKU None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SignalR/SignalR_AllowedSKU_AuditDeny.json 464a1620-21b5-448d-8ce6-d4ac6d1bc49a
SignalR Azure SignalR Service should use private link None No NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json 53503636-bcc9-4748-9663-5348217f160f
Site Recovery Recovery Services vaults should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Site%20Recovery/RecoveryServices_SiteRecovery_PrivateEndpoint_Audit.json 11e3da8c-1d68-4392-badd-0ff3c43ab5b0
Storage Azure File Sync should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageSync_PrivateEndpoint_AuditIfNotExists.json 1d320205-c6a1-4ac6-873d-46224024e8e2
Storage Geo-redundant storage should be enabled for Storage Accounts None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/GeoRedundant_StorageAccounts_Audit.json bf045164-79ba-4215-8f95-f8048dc1780b
Storage HPC Cache accounts should use customer-managed key for encryption None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageCache_CMKEnabled.json 970f84d8-71b6-4091-9979-ace7e3fb6dbb
Storage Public network access should be disabled for Azure File Sync None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageSync_IncomingTrafficPolicy_AuditDeny.json 21a8cd35-125e-4d13-b82d-2e19b7208bb7
Storage Secure transfer to storage accounts should be enabled None No DP-4 3.1 nan A.13.2.1 SC-8 (1) 3.13.8 0943.09y1Organizational.1 - 09.y DM-6 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json 404c3081-a854-4457-ae30-26a93ef643f9
Storage Storage account encryption scopes should use customer-managed keys to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/Storage_EncryptionScopesShouldUseCMK_Audit.json b5ec538c-daa0-4006-8596-35468b9148e8
Storage Storage account keys should not be expired None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json 044985bb-afe1-42cd-8a36-9d5d42424537
Storage Storage account public access should be disallowed None No DP-2 5.1.3 nan nan nan nan nan NS-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Storage Storage accounts should allow access from trusted Microsoft services None No nan 3.7 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json c9d007d0-c057-4772-b18c-01e546713bcd
Storage Storage accounts should be limited by allowed SKUs Required No nan nan nan nan nan nan nan nan listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/AllowedStorageSkus_Audit.json 7433c107-6db4-4ad1-b57a-a76dce0154a1
Storage Storage accounts should be migrated to new Azure Resource Manager resources None No AM-3 nan nan A.9.1.2 nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json 37e0d2fe-28a5-43d6-a273-67d37d1f5606
Storage Storage accounts should have infrastructure encryption None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json 4733ea7b-a883-42fe-8cac-97454c2a9e4a
Storage Storage accounts should prevent shared key access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccess_Audit.json 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
Storage Storage accounts should restrict network access None No NS-4 3.6 nan A.13.1.1 SC-7 3.13.5 0866.09m3Organizational.1516 - 09.m NS-2 nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json 34c877ad-507e-4c82-993e-3452a6e0ad3c
Storage Storage accounts should restrict network access using virtual network rules None No NS-1 3.6 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f
Storage Storage accounts should use customer-managed key for encryption None Yes DP-5 3.9 nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json 6fac406b-40ca-413b-bf8e-0bf964659c25
Storage Storage accounts should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json 6edd7eda-6dd8-40f7-810d-67160c639cd9
Stream Analytics Azure Stream Analytics jobs should use customer-managed keys to encrypt data None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json 87ba29ef-1ab3-4d82-b763-87fcd4f531f7
Stream Analytics Resource logs in Azure Stream Analytics should be enabled Optional Yes LT-4 5.3 nan nan nan nan 1207.09aa2System.4 - 09.aa nan requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json f9be5368-9bf5-4b84-9e0a-7850da98bb46
Synapse Auditing on Synapse workspace should be enabled Optional Yes nan nan nan nan nan nan nan nan setting https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceSqlAuditing_Audit.json e04e5000-cd89-451d-bb21-a14d24ff9c73
Synapse Azure Synapse workspaces should allow outbound data traffic only to approved targets None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/Workspace_RestrictOutboundDataTraffic_Audit.json 3484ce98-c0c5-4c83-994b-c5ac24785218
Synapse Azure Synapse workspaces should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspacePublicNetworkAccess_Deny.json 38d8df46-cf4e-4073-8e03-48c24b29de0d
Synapse Azure Synapse workspaces should use customer-managed keys to encrypt data at rest None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json f7d52b2d-e161-4dfa-a82b-55e564167385
Synapse Azure Synapse workspaces should use private link None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json 72d11df1-dd8a-41f7-8925-b05b960ebafc
Synapse IP firewall rules on Azure Synapse workspaces should be removed None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceFirewallRules_Audit.json 56fd377d-098c-4f02-8406-81eb055902b8
Synapse Managed workspace virtual network on Azure Synapse workspaces should be enabled None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceManagedVnet_Audit.json 2d9dbfa3-927b-4cf0-9d0f-08747f971650
Synapse Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Required No nan nan nan nan nan nan nan nan allowedTenantIds https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/Workspace_DataExfiltrationPrevention_Deny.json 3a003702-13d2-4679-941b-937e58c443f0
Synapse Synapse workspace auditing settings should have action groups configured to capture critical activities None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceSqlAuditing_ActionsAndGroups_Audit.json 2b18f286-371e-4b80-9887-04759970c0d3
Synapse Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceSqlAuditingRetentionDays_Audit.json 529ea018-6afc-4ed4-95bd-7c9ee47b00bc
Synapse Vulnerability assessment should be enabled on your Synapse workspaces None Yes nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/ASC_SQLVulnerabilityAssessmentOnSynapse_Audit.json 0049a6b3-a662-4f3e-8635-39cf44ace45a
Tags Require a tag and its value on resource groups Required No nan nan nan nan nan nan nan nan tagName, tagValue https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTagAndValue_Deny.json 8ce3da23-7156-49e4-b145-24f95f9dcb46
Tags Require a tag and its value on resources Required No nan nan nan nan nan nan nan nan tagName, tagValue https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTagAndValue_Deny.json 1e30110a-5ceb-460c-a204-c1c3969c6d62
Tags Require a tag on resource groups Required No nan nan nan nan nan nan nan nan tagName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTag_Deny.json 96670d01-0a4d-4649-9c89-2d3abc0a5025
Tags Require a tag on resources Required No nan nan nan nan nan nan nan nan tagName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTag_Deny.json 871b6d14-10aa-478d-b590-94f262ecfa99
VM Image Builder VM Image Builder templates should use private link None No NS-3 nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json 2154edb9-244f-4741-9970-660785bccdaa
Web PubSub Azure Web PubSub Service should disable public network access None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PublicNetworkAccessDisabled_AuditDeny.json bf45113f-264e-4a87-88f9-29ac8a0aca6a
Web PubSub Azure Web PubSub Service should use a SKU that supports private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_AllowedSKU_AuditDeny.json 82909236-25f3-46a6-841c-fe1020f95ae1
Web PubSub Azure Web PubSub Service should use private link None No nan nan nan nan nan nan nan nan nan https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit.json 52630df9-ca7e-442b-853b-c6ce548b31a2