Azure Policy Regulatory Compliance controls for Azure App Service

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure App Service. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 App Service apps should use the latest TLS version 2.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Function apps should use the latest TLS version 2.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 App Service apps should have remote debugging turned off 2.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Function apps should have remote debugging turned off 2.0.0
Guidelines for Software Development - Web application development 1424 Web browser-based security controls - 1424 App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 App Service apps should only be accessible over HTTPS 3.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 Function apps should only be accessible over HTTPS 3.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-8 Detect and disable insecure services and protocols App Service apps should use the latest TLS version 2.0.0
Network Security NS-8 Detect and disable insecure services and protocols Function apps should use the latest TLS version 2.0.0
Identity Management IM-3 Manage application identities securely and automatically App Service apps should use managed identity 3.0.0
Identity Management IM-3 Manage application identities securely and automatically Function apps should use managed identity 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should only be accessible over HTTPS 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should require FTPS only 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should use the latest TLS version 2.0.0
Data Protection DP-3 Encrypt sensitive data in transit Function apps should only be accessible over HTTPS 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit Function apps should require FTPS only 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit Function apps should use the latest TLS version 2.0.0
Logging and Threat Detection LT-3 Enable logging for security investigation App Service apps should have resource logs enabled 2.0.1
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should have remote debugging turned off 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations Function apps should have remote debugging turned off 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities App Service apps that use Java should use the latest 'Java version' 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities App Service apps that use Python should use the latest 'Python version' 4.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Function apps that use Java should use the latest 'Java version' 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Function apps that use Python should use the latest 'Python version' 4.0.0

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network App Service apps should use a virtual network service endpoint 2.0.0
Network Security 1.3 Protect critical web applications App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Network Security 1.3 Protect critical web applications App Service apps should have remote debugging turned off 2.0.0
Network Security 1.3 Protect critical web applications App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Network Security 1.3 Protect critical web applications Function apps should have remote debugging turned off 2.0.0
Network Security 1.3 Protect critical web applications Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources App Service apps should have resource logs enabled 2.0.1
Data Protection 4.4 Encrypt all sensitive information in transit App Service apps should only be accessible over HTTPS 3.0.0
Data Protection 4.4 Encrypt all sensitive information in transit App Service apps should require FTPS only 3.0.0
Data Protection 4.4 Encrypt all sensitive information in transit App Service apps should use the latest TLS version 2.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Function apps should only be accessible over HTTPS 3.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Function apps should require FTPS only 3.0.0
Data Protection 4.4 Encrypt all sensitive information in transit Function apps should use the latest TLS version 2.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution App Service apps that use Java should use the latest 'Java version' 3.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution App Service apps that use Python should use the latest 'Python version' 4.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Function apps that use Java should use the latest 'Java version' 3.0.0
Vulnerability Management 5.3 Deploy automated third-party software patch management solution Function apps that use Python should use the latest 'Python version' 4.0.0
Secure Configuration 7.12 Manage identities securely and automatically App Service apps should use managed identity 3.0.0
Secure Configuration 7.12 Manage identities securely and automatically Function apps should use managed identity 3.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Function apps should only be accessible over HTTPS 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service App Service apps should have authentication enabled 2.0.1
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Function apps should have authentication enabled 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app App Service apps should use latest 'HTTP Version' 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Function apps should use latest 'HTTP Version' 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ensure that 'PHP version' is the latest, if used to run the web app App Service apps that use PHP should use the latest 'PHP version' 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Python version' is the latest, if used to run the web app App Service apps that use Python should use the latest 'Python version' 4.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Python version' is the latest, if used to run the web app Function apps that use Python should use the latest 'Python version' 4.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'Java version' is the latest, if used to run the web app App Service apps that use Java should use the latest 'Java version' 3.0.0
AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'Java version' is the latest, if used to run the web app Function apps that use Java should use the latest 'Java version' 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. App Service apps should have resource logs enabled 2.0.1
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service App Service apps should have authentication enabled 2.0.1
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Function apps should have authentication enabled 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure FTP deployments are disabled App Service apps should require FTPS only 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure FTP deployments are disabled Function apps should require FTPS only 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.6 Ensure that 'PHP version' is the latest, if used to run the web app App Service apps that use PHP should use the latest 'PHP version' 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ensure that 'Python version' is the latest, if used to run the web app App Service apps that use Python should use the latest 'Python version' 4.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ensure that 'Python version' is the latest, if used to run the web app Function apps that use Python should use the latest 'Python version' 4.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Java version' is the latest, if used to run the web app App Service apps that use Java should use the latest 'Java version' 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Java version' is the latest, if used to run the web app Function apps that use Java should use the latest 'Java version' 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app App Service apps should use latest 'HTTP Version' 3.0.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Function apps should use latest 'HTTP Version' 3.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). App Service apps should have remote debugging turned off 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Function apps should have remote debugging turned off 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should only be accessible over HTTPS 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should only be accessible over HTTPS 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. App Service apps should have remote debugging turned off 2.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Function apps should have remote debugging turned off 2.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. App Service apps should have resource logs enabled 2.0.1
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Function apps should have remote debugging turned off 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. App Service apps should only be accessible over HTTPS 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. App Service apps should use the latest TLS version 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Function apps should only be accessible over HTTPS 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Function apps should use the latest TLS version 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps should use the latest TLS version 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps that use PHP should use the latest 'PHP version' 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps should use the latest TLS version 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps that use Python should use the latest 'Python version' 4.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 Audit Generation App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) App Service apps should use managed identity 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Function apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should have internal encryption enabled 1.0.1
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System and Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use PHP should use the latest 'PHP version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Python should use the latest 'Python version' 4.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
Audit and Accountability AU-12 Audit Generation App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) App Service apps should use managed identity 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Function apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should have internal encryption enabled 1.0.1
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System and Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use PHP should use the latest 'PHP version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Python should use the latest 'Python version' 4.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Remote Diagnostic and Configuration Port Protection 1194.01l2Organizational.2 - 01.l Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. App Service apps should have remote debugging turned off 2.0.0
Remote Diagnostic and Configuration Port Protection 1195.01l3Organizational.1 - 01.l The organization reviews the information system within every three hundred and sixty- five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. Function apps should have remote debugging turned off 2.0.0
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. App Service apps should use a virtual network service endpoint 2.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. App Service apps should use a virtual network service endpoint 2.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. App Service apps should use a virtual network service endpoint 2.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. App Service apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. App Service apps should use the latest TLS version 2.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Function apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Function apps should use the latest TLS version 2.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. App Service apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. App Service apps should use the latest TLS version 2.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Function apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Function apps should use the latest TLS version 2.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. App Service apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. App Service apps should use the latest TLS version 2.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Function apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Function apps should use the latest TLS version 2.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. App Service apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. App Service apps should use the latest TLS version 2.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Function apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Function apps should use the latest TLS version 2.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. App Service apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. App Service apps should use the latest TLS version 2.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Function apps should only be accessible over HTTPS 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Function apps should use the latest TLS version 2.0.0
Identification of Risks Related to External Parties 1402.05i1Organizational.45 - 05.i Remote access connections between the organization and external parties are encrypted. Function apps should only be accessible over HTTPS 3.0.0
Identification of Risks Related to External Parties 1403.05i1Organizational.67 - 05.i Access granted to external parties is limited to the minimum necessary and granted only for the duration required. App Service apps should only be accessible over HTTPS 3.0.0
Audit Logging 1209.09aa3System.2 - 09.aa The information system generates audit records containing the following detailed information: (i) filename accessed; (ii) program or command used to initiate the event; and (iii) source and destination addresses. App Service apps should have resource logs enabled 2.0.1
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. App Service apps should use a virtual network service endpoint 2.0.0
Information Exchange Policies and Procedures 0662.09sCSPOrganizational.2 - 09.s Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Information Exchange Policies and Procedures 0901.09s1Organizational.1 - 09.s The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Information Exchange Policies and Procedures 0902.09s2Organizational.13 - 09.s Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Information Exchange Policies and Procedures 0912.09s1Organizational.4 - 09.s Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. App Service apps should have remote debugging turned off 2.0.0
Information Exchange Policies and Procedures 0913.09s1Organizational.5 - 09.s Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. Function apps should have remote debugging turned off 2.0.0
Information Exchange Policies and Procedures 0915.09s2Organizational.2 - 09.s The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Information Exchange Policies and Procedures 0916.09s2Organizational.4 - 09.s The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Information Exchange Policies and Procedures 0960.09sCSPOrganizational.1 - 09.s Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Information Exchange Policies and Procedures 1325.09s1Organizational.3 - 09.s Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). Function apps should have remote debugging turned off 2.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. App Service apps should only be accessible over HTTPS 3.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. App Service apps should use the latest TLS version 2.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Function apps should only be accessible over HTTPS 3.0.0
On-line Transactions 0949.09y2Organizational.5 - 09.y The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. Function apps should use the latest TLS version 2.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.12 Remote Access (AC-17) App Service apps should have remote debugging turned off 2.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Function apps should have remote debugging turned off 2.0.0
Access Control 9.3.1.4 Information Flow Enforcement (AC-4) App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Function apps should only be accessible over HTTPS 3.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls App Service apps should only be accessible over HTTPS 3.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Function apps should only be accessible over HTTPS 3.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Software security SS-2 14.1.8 Developing hardened SOEs App Service apps should have remote debugging turned off 2.0.0
Software security SS-2 14.1.8 Developing hardened SOEs Function apps should have remote debugging turned off 2.0.0
Software security SS-9 14.5.8 Web applications App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Software security SS-9 14.5.8 Web applications App Service apps should only be accessible over HTTPS 3.0.0
Software security SS-9 14.5.8 Web applications App Service apps that use Java should use the latest 'Java version' 3.0.0
Software security SS-9 14.5.8 Web applications App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Software security SS-9 14.5.8 Web applications App Service apps that use Python should use the latest 'Python version' 4.0.0
Software security SS-9 14.5.8 Web applications Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Software security SS-9 14.5.8 Web applications Function apps should only be accessible over HTTPS 3.0.0
Software security SS-9 14.5.8 Web applications Function apps that use Java should use the latest 'Java version' 3.0.0
Software security SS-9 14.5.8 Web applications Function apps that use Python should use the latest 'Python version' 4.0.0
Access Control and Passwords AC-2 16.1.32 System User Identitfication App Service apps should use managed identity 3.0.0
Access Control and Passwords AC-2 16.1.32 System User Identitfication Function apps should use managed identity 3.0.0
Access Control and Passwords AC-17 16.6.9 Events to be logged App Service apps should have resource logs enabled 2.0.1
Cryptography CR-7 17.4.16 Using TLS App Service apps should require FTPS only 3.0.0
Cryptography CR-7 17.4.16 Using TLS App Service apps should use the latest TLS version 2.0.0
Cryptography CR-7 17.4.16 Using TLS Function apps should require FTPS only 3.0.0
Cryptography CR-7 17.4.16 Using TLS Function apps should use the latest TLS version 2.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Monitoring and Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Monitoring and Control Function apps should have remote debugging turned off 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 Audit Record Generation App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) App Service apps should use managed identity 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Function apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should use the latest TLS version 2.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should only be accessible over HTTPS 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should use the latest TLS version 2.0.0
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should have internal encryption enabled 1.0.1
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System and Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use PHP should use the latest 'PHP version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation App Service apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware App Service apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware App Service apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware App Service apps that use PHP should use the latest 'PHP version' 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware App Service apps that use Python should use the latest 'Python version' 4.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Function apps should use latest 'HTTP Version' 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Function apps that use Java should use the latest 'Java version' 3.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Function apps that use Python should use the latest 'Python version' 4.0.0

NZ ISM Restricted v3.5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NZ ISM Restricted v3.5. For more information about this compliance standard, see NZ ISM Restricted v3.5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control and Passwords NZISM Security Benchmark AC-18 16.6.9 Events to be logged App Service apps should have resource logs enabled 2.0.1
Access Control and Passwords NZISM Security Benchmark AC-2 16.1.32 System User Identitfication App Service apps should use managed identity 3.0.0
Access Control and Passwords NZISM Security Benchmark AC-2 16.1.32 System User Identitfication Function apps should use managed identity 3.0.0
Cryptography NZISM Security Benchmark CR-8 17.4.16 Using TLS App Service apps should use the latest TLS version 2.0.0
Cryptography NZISM Security Benchmark CR-8 17.4.16 Using TLS Function apps should use the latest TLS version 2.0.0
Software security NZISM Security Benchmark SS-2 14.1.8 Developing hardened SOEs App Service apps should have remote debugging turned off 2.0.0
Software security NZISM Security Benchmark SS-2 14.1.8 Developing hardened SOEs Function apps should have remote debugging turned off 2.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should have authentication enabled 2.0.1
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should only be accessible over HTTPS 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should require FTPS only 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps should use latest 'HTTP Version' 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps that use Java should use the latest 'Java version' 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications App Service apps that use Python should use the latest 'Python version' 4.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should have authentication enabled 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should only be accessible over HTTPS 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should require FTPS only 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps should use latest 'HTTP Version' 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps that use Java should use the latest 'Java version' 3.0.0
Software security NZISM Security Benchmark SS-9 14.5.8 Web applications Function apps that use Python should use the latest 'Python version' 4.0.0

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 3 PCI DSS v3.2.1 3.4 PCI DSS requirement 3.4 App Service apps should only be accessible over HTTPS 3.0.0
Requirement 3 PCI DSS v3.2.1 3.4 PCI DSS requirement 3.4 Function apps should only be accessible over HTTPS 3.0.0
Requirement 4 PCI DSS v3.2.1 4.1 PCI DSS requirement 4.1 App Service apps should only be accessible over HTTPS 3.0.0
Requirement 4 PCI DSS v3.2.1 4.1 PCI DSS requirement 4.1 Function apps should only be accessible over HTTPS 3.0.0
Requirement 6 PCI DSS v3.2.1 6.5.3 PCI DSS requirement 6.5.3 App Service apps should only be accessible over HTTPS 3.0.0
Requirement 6 PCI DSS v3.2.1 6.5.3 PCI DSS requirement 6.5.3 Function apps should only be accessible over HTTPS 3.0.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
IT Governance RBI IT Framework 1 IT Governance-1 App Service apps that use Java should use the latest 'Java version' 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 App Service apps that use PHP should use the latest 'PHP version' 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 App Service apps that use Python should use the latest 'Python version' 4.0.0
IT Governance RBI IT Framework 1 IT Governance-1 Function apps that use Java should use the latest 'Java version' 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 Function apps that use Python should use the latest 'Python version' 4.0.0
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 App Service apps should have remote debugging turned off 2.0.0
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 Function apps should have remote debugging turned off 2.0.0
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 App Service apps should only be accessible over HTTPS 3.0.0
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 App Service apps should use the latest TLS version 2.0.0
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 App Service Environment should have internal encryption enabled 1.0.1
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 Function apps should only be accessible over HTTPS 3.0.0
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 Function apps should use the latest TLS version 2.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 App Service apps that use Java should use the latest 'Java version' 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 App Service apps that use Python should use the latest 'Python version' 4.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 Function apps that use Java should use the latest 'Java version' 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 Function apps that use Python should use the latest 'Python version' 4.0.0
Information and Cyber Security RBI IT Framework 3.8 Digital Signatures-3.8 App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Information and Cyber Security RBI IT Framework 3.8 Digital Signatures-3.8 Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0

RMIT Malaysia

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography RMiT 10.20 Cryptography - 10.20 App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Cryptography RMiT 10.20 Cryptography - 10.20 Function apps should have 'Client Certificates (Incoming client certificates)' enabled 2.0.0
Access Control RMiT 10.54 Access Control - 10.54 App Service apps should have authentication enabled 2.0.1
Access Control RMiT 10.54 Access Control - 10.54 Function apps should have authentication enabled 3.0.0
Access Control RMiT 10.54 Access Control - 10.54 Function apps should use managed identity 3.0.0
Security of Digital Services RMiT 10.66 Security of Digital Services - 10.66 App Service apps should have resource logs enabled 2.0.1
Security of Digital Services RMiT 10.68 Security of Digital Services - 10.68 App Service apps should use the latest TLS version 2.0.0
Security of Digital Services RMiT 10.68 Security of Digital Services - 10.68 Function apps should use the latest TLS version 2.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should only be accessible over HTTPS 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should require FTPS only 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should use latest 'HTTP Version' 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps that use Java should use the latest 'Java version' 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps that use PHP should use the latest 'PHP version' 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps that use Python should use the latest 'Python version' 4.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should only be accessible over HTTPS 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should require FTPS only 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should use latest 'HTTP Version' 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps that use Java should use the latest 'Java version' 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps that use Python should use the latest 'Python version' 4.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 App Service apps should have remote debugging turned off 2.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Function apps should have remote debugging turned off 2.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Function apps should not have CORS configured to allow every resource to access your apps 2.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection App Service apps should only be accessible over HTTPS 3.0.0
Data in transit protection 1 Data in transit protection Function apps should only be accessible over HTTPS 3.0.0
External interface protection 11 External interface protection App Service apps should have remote debugging turned off 2.0.0
External interface protection 11 External interface protection Function apps should have remote debugging turned off 2.0.0

Release notes

September 2022

  • App Service apps should be injected into a virtual network
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should be injected into a virtual network" to monitor slots
  • App Service app slots should be injected into a virtual network
    • New policy created
  • Function apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to remove slots
      • Creation of "Function app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
  • Function app slots should have 'Client Certificates (Incoming client certificates)' enabled
    • New policy created
  • Function apps should use an Azure file share for its content directory
    • Update scope of policy to remove slots
      • Creation of "Function app slots should use an Azure file share for its content directory" to monitor slots
  • Function app slots should use an Azure file share for its content directory
    • New policy created
  • App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
  • App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled
    • New policy created
  • App Service apps should use an Azure file share for its content directory
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should use an Azure file share for its content directory" to monitor slots
  • App Service app slots should use an Azure file share for its content directory
    • New policy created
  • Function app slots should require FTPS only
    • New policy created
  • App Service app slots should require FTPS only
    • New policy created
  • Function app slots should not have CORS configured to allow every resource to access your apps
    • New policy created
  • App Service app slots should not have CORS configured to allow every resource to access your app
    • New policy created
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to remove slots
      • Creation of "Function app slots should only be accessible over HTTPS" to monitor slots
    • Add "Deny" effect
    • Creation of "Configure Function apps to only be accessible over HTTPS" for enforcement of policy
  • Function app slots should only be accessible over HTTPS
    • New policy created
  • Configure Function apps to only be accessible over HTTPS
    • New policy created
  • Configure Function app slots to only be accessible over HTTPS
    • New policy created
  • App Service apps should use a SKU that supports private link
    • Update list of supported SKUs of policy to include the Workflow Standard tier for Logic Apps
  • Configure App Service apps to use the latest TLS version
    • New policy created
  • Configure Function apps to use the latest TLS version
    • New policy created
  • Configure App Service apps to turn off remote debugging
    • New policy created
  • Configure Function apps to turn off remote debugging
    • New policy created

August 2022

  • App Service apps should only be accessible over HTTPS
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should only be accessible over HTTPS" to monitor slots
    • Add "Deny" effect
    • Creation of "Configure App Service apps to only be accessible over HTTPS" for enforcement of policy
  • App Service app slots should only be accessible over HTTPS
    • New policy created
  • Configure App Service apps to only be accessible over HTTPS
    • New policy created
  • Configure App Service app slots to only be accessible over HTTPS
    • New policy created

July 2022

  • Deprecation of the following policies:
    • Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure that 'Python version' is the latest, if used as a part of the API app
    • CORS should not allow every resource to access your API App
    • Managed identity should be used in your API App
    • Remote debugging should be turned off for API Apps
    • Ensure that 'PHP version' is the latest, if used as a part of the API app
    • API apps should use an Azure file share for its content directory
    • FTPS only should be required in your API App
    • Ensure that 'Java version' is the latest, if used as a part of the API app
    • Ensure that 'HTTP Version' is the latest, if used to run the API app
    • Latest TLS version should be used in your API App
    • Authentication should be enabled on your API app
  • Function apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to include slots
    • Update scope of policy to exclude Logic apps
  • Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
    • Update scope of policy to include slots
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Python version' is the latest, if used as a part of the Web app
    • Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Python version' is the latest, if used as a part of the Function app
    • Rename of policy to "Function apps that use Python should use the latest 'Python version'"
    • Update scope of policy to exclude Logic apps
  • CORS should not allow every resource to access your Web Applications
    • Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
    • Update scope of policy to include all app types except Function apps
  • CORS should not allow every resource to access your Function Apps
    • Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
    • Update scope of policy to exclude Logic apps
  • Managed identity should be used in your Function App
    • Rename of policy to "Function apps should use managed identity"
    • Update scope of policy to exclude Logic apps
  • Managed identity should be used in your Web App
    • Rename of policy to "App Service apps should use managed identity"
    • Update scope of policy to include all app types except Function apps
  • Remote debugging should be turned off for Function Apps
    • Rename of policy to "Function apps should have remote debugging turned off"
    • Update scope of policy to exclude Logic apps
  • Remote debugging should be turned off for Web Applications
    • Rename of policy to "App Service apps should have remote debugging turned off"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'PHP version' is the latest, if used as a part of the WEB app
    • Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
    • Update scope of policy to include all app types except Function apps
  • App Service slots should have local authentication methods disabled for SCM site deployment
    • Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
  • App Service should have local authentication methods disabled for SCM site deployments
    • Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
  • App Service slots should have local authentication methods disabled for FTP deployments
    • Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
  • App Service should have local authentication methods disabled for FTP deployments
    • Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
  • Function apps should use an Azure file share for its content directory
    • Update scope of policy to include slots
    • Update scope of policy to exclude Logic apps
  • Web apps should use an Azure file share for its content directory
    • Rename of policy to "App Service apps should use an Azure file share for its content directory"
    • Update scope of policy to include slots
    • Update scope of policy to include all app types except Function apps
  • FTPS only should be required in your Function App
    • Rename of policy to "Function apps should require FTPS only"
    • Update scope of policy to exclude Logic apps
  • FTPS should be required in your Web App
    • Rename of policy to "App Service apps should require FTPS only"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Java version' is the latest, if used as a part of the Function app
    • Rename of policy to "Function apps that use Java should use the latest 'Java version'"
    • Update scope of policy to exclude Logic apps
  • Ensure that 'Java version' is the latest, if used as a part of the Web app
    • Rename of policy to "App Service apps that use Java should use the latest 'Java version"
    • Update scope of policy to include all app types except Function apps
  • App Service should use private link
    • Rename of policy to "App Service apps should use private link"
  • Configure App Services to use private DNS zones
    • Rename of policy to "Configure App Service apps to use private DNS zones"
  • App Service Apps should be injected into a virtual network
    • Rename of policy to "App Service apps should be injected into a virtual network"
    • Update scope of policy to include slots
  • Ensure that 'HTTP Version' is the latest, if used to run the Web app
    • Rename of policy to "App Service apps should use latest 'HTTP Version'"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'HTTP Version' is the latest, if used to run the Function app
    • Rename of policy to "Function apps should use latest 'HTTP Version'"
    • Update scope of policy to exclude Logic apps
  • Latest TLS version should be used in your Web App
    • Rename of policy to "App Service apps should use the latest TLS version"
    • Update scope of policy to include all app types except Function apps
  • Latest TLS version should be used in your Function App
    • Rename of policy to "Function apps should use the latest TLS version"
    • Update scope of policy to exclude Logic apps
  • App Service Environment should disable TLS 1.0 and 1.1
    • Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
  • Resource logs in App Services should be enabled
    • Rename of policy to "App Service apps should have resource logs enabled"
  • Authentication should be enabled on your web app
    • Rename of policy to "App Service apps should have authentication enabled"
  • Authentication should be enabled on your Function app
    • Rename of policy to "Function apps should have authentication enabled"
    • Update scope of policy to exclude Logic apps
  • App Service Environment should enable internal encryption
    • Rename of policy to "App Service Environment should have internal encryption enabled"
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to exclude Logic apps
  • App Service should use a virtual network service endpoint
    • Rename of policy to "App Service apps should use a virtual network service endpoint"
    • Update scope of policy to include all app types except Function apps

June 2022

  • Deprecation of policy API App should only be accessible over HTTPS
  • Web Application should only be accessible over HTTPS
    • Rename of policy to "App Service apps should only be accessible over HTTPS"
    • Update scope of policy to include all app types except Function apps
    • Update scope of policy to include slots
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to include slots
  • App Service apps should use a SKU that supports private link
    • Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
    • Update list of supported SKUs of policy to include the Basic and Standard tiers

Next steps