![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 84%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
836 questions
Hello anonymous user - here's the update from my ASC expert.
The NIST SP 800-53 initiative has a ‘shared responsibility model’ baked in to it., It includes policies that are platform responsibility (all of the “Microsoft Managed Controls”), alongside the customer responsibility policies. However, this info isn’t surfaced in ASC yet (though it will be sooon).
What we show in the Security Center compliance dashboard is a message for each of the ‘gray’ controls that this control does not have any automated assessments associated with it. That can be because either
- We don’t yet have policies that apply to this control,
- This can’t be automated by policy and therefore will eventually have a manual assessment associated with it, or
- This control is indeed platform responsibility, and we should have “Microsoft Managed Controls” mapped to it
Important note: We currently dont have microsoft managed controls for all standards yet - only NIST for now.
Hope this helps but dont hesitate to ping if you have any followup qyestions
Cheers.