Azure Policy Regulatory Compliance controls for Azure App Service
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure App Service. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | App Service apps should use the latest TLS version | 2.0.1 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Function apps should use the latest TLS version | 2.0.1 |
| Guidelines for System Management - System administration | 1386 | Restriction of management traffic flows - 1386 | App Service apps should have remote debugging turned off | 2.0.0 |
| Guidelines for System Management - System administration | 1386 | Restriction of management traffic flows - 1386 | Function apps should have remote debugging turned off | 2.0.0 |
| Guidelines for Software Development - Web application development | 1424 | Web browser-based security controls - 1424 | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Guidelines for Software Development - Web application development | 1552 | Web application interactions - 1552 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Guidelines for Software Development - Web application development | 1552 | Web application interactions - 1552 | Function apps should only be accessible over HTTPS | 5.0.0 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-4 | Information Flow Enforcement | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC-17(1) | Remote Access | Automated Monitoring / Control | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17(1) | Remote Access | Automated Monitoring / Control | Function apps should have remote debugging turned off | 2.0.0 |
| System and Communications Protection | SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.1.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | App Service apps should have authentication enabled | 2.0.1 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Function apps should have authentication enabled | 3.0.0 |
| 9 AppService | 9.10 | Ensure that 'HTTP Version' is the latest, if used to run the web app | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| 9 AppService | 9.10 | Ensure that 'HTTP Version' is the latest, if used to run the web app | Function apps should use latest 'HTTP Version' | 4.0.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | App Service apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Function apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | App Service apps should use managed identity | 3.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Function apps should use managed identity | 3.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.3.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | App Service apps should have resource logs enabled | 2.0.1 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | App Service apps should have authentication enabled | 2.0.1 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Function apps should have authentication enabled | 3.0.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are disabled | App Service apps should require FTPS only | 3.0.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are disabled | Function apps should require FTPS only | 3.0.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | App Service apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Function apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | App Service apps should use managed identity | 3.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Function apps should use managed identity | 3.0.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the latest, if used to run the web app | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the latest, if used to run the web app | Function apps should use latest 'HTTP Version' | 4.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | App Service apps should have resource logs enabled | 2.0.1 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | App Service apps should have authentication enabled | 2.0.1 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Function apps should have authentication enabled | 3.0.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are Disabled | App Service apps should require FTPS only | 3.0.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are Disabled | Function apps should require FTPS only | 3.0.0 |
| 9 AppService | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 9 AppService | 9.3 | Ensure Web App is using the latest version of TLS encryption | App Service apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.3 | Ensure Web App is using the latest version of TLS encryption | Function apps should use the latest TLS version | 2.0.1 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | App Service apps should use managed identity | 3.0.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Function apps should use managed identity | 3.0.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | Function apps should use latest 'HTTP Version' | 4.0.0 |
CIS Microsoft Azure Foundations Benchmark 2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | App Service apps should have resource logs enabled | 2.0.1 |
| 9 | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | App Service apps should have authentication enabled | 2.0.1 |
| 9 | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Function apps should have authentication enabled | 3.0.0 |
| 9 | 9.10 | Ensure FTP deployments are Disabled | App Service apps should require FTPS only | 3.0.0 |
| 9 | 9.10 | Ensure FTP deployments are Disabled | Function apps should require FTPS only | 3.0.0 |
| 9 | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 9 | 9.3 | Ensure Web App is using the latest version of TLS encryption | App Service apps should use the latest TLS version | 2.0.1 |
| 9 | 9.3 | Ensure Web App is using the latest version of TLS encryption | Function apps should use the latest TLS version | 2.0.1 |
| 9 | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| 9 | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | App Service apps should use managed identity | 3.0.0 |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Function apps should use managed identity | 3.0.0 |
| 9 | 9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | App Service app slots that use PHP should use a specified 'PHP version' | 1.0.0 |
| 9 | 9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | App Service apps that use PHP should use a specified 'PHP version' | 3.2.0 |
| 9 | 9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | App Service app slots that use Python should use a specified 'Python version' | 1.0.0 |
| 9 | 9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | App Service apps that use Python should use a specified 'Python version' | 4.1.0 |
| 9 | 9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | Function app slots that use Java should use a specified 'Java version' | 1.0.0 |
| 9 | 9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | Function apps that use Java should use a specified 'Java version' | 3.1.0 |
| 9 | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| 9 | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | Function apps should use latest 'HTTP Version' | 4.0.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Function apps should only be accessible over HTTPS | 5.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | App Service apps should use the latest TLS version | 2.0.1 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Function apps should only be accessible over HTTPS | 5.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Function apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Function apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Function apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Function apps should use the latest TLS version | 2.0.1 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | App Service apps should use the latest TLS version | 2.0.1 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | Function apps should use the latest TLS version | 2.0.1 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-2 | Account Management | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-2 | Account Management | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-4 | Information Flow Enforcement | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC-17 | Remote Access | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 | Remote Access | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Function apps should have remote debugging turned off | 2.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-12 | Audit Generation | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Function apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | Function apps should use managed identity | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Information Integrity | SI-2 | Flaw Remediation | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Function apps should use latest 'HTTP Version' | 4.0.0 |
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-2 | Account Management | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-2 | Account Management | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-4 | Information Flow Enforcement | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC-17 | Remote Access | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 | Remote Access | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Function apps should have remote debugging turned off | 2.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | CM-6 | Configuration Settings | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Function apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | Function apps should use managed identity | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Information Integrity | SI-2 | Flaw Remediation | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Function apps should use latest 'HTTP Version' | 4.0.0 |
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Identification of Risks Related to External Parties | 1402.05i1Organizational.45 - 05.i | Remote access connections between the organization and external parties are encrypted. | Function apps should only be accessible over HTTPS | 5.0.0 |
| Identification of Risks Related to External Parties | 1403.05i1Organizational.67 - 05.i | Access granted to external parties is limited to the minimum necessary and granted only for the duration required. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 06 Configuration Management | 0662.09sCSPOrganizational.2-09.s | 0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| 08 Network Protection | 0805.01m1Organizational.12-01.m | 0805.01m1Organizational.12-01.m 01.04 Network Access Control | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 08 Network Protection | 0806.01m2Organizational.12356-01.m | 0806.01m2Organizational.12356-01.m 01.04 Network Access Control | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | App Service apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Function apps should only be accessible over HTTPS | 5.0.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Function apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | App Service apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Function apps should only be accessible over HTTPS | 5.0.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Function apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | App Service apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Function apps should only be accessible over HTTPS | 5.0.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Function apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | App Service apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | Function apps should only be accessible over HTTPS | 5.0.0 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | Function apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0814.01n1Organizational.12-01.n | 0814.01n1Organizational.12-01.n 01.04 Network Access Control | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 08 Network Protection | 0814.01n1Organizational.12-01.n | 0814.01n1Organizational.12-01.n 01.04 Network Access Control | App Service apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0814.01n1Organizational.12-01.n | 0814.01n1Organizational.12-01.n 01.04 Network Access Control | Function apps should only be accessible over HTTPS | 5.0.0 |
| 08 Network Protection | 0814.01n1Organizational.12-01.n | 0814.01n1Organizational.12-01.n 01.04 Network Access Control | Function apps should use the latest TLS version | 2.0.1 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | App Service apps should have remote debugging turned off | 2.0.0 |
| 09 Transmission Protection | 0913.09s1Organizational.5-09.s | 0913.09s1Organizational.5-09.s 09.08 Exchange of Information | Function apps should have remote debugging turned off | 2.0.0 |
| 09 Transmission Protection | 0915.09s2Organizational.2-09.s | 0915.09s2Organizational.2-09.s 09.08 Exchange of Information | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | App Service apps should only be accessible over HTTPS | 4.0.0 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | App Service apps should use the latest TLS version | 2.0.1 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | Function apps should only be accessible over HTTPS | 5.0.0 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | Function apps should use the latest TLS version | 2.0.1 |
| 09 Transmission Protection | 0960.09sCSPOrganizational.1-09.s | 0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| 11 Access Control | 1194.01l2Organizational.2-01.l | 1194.01l2Organizational.2-01.l 01.04 Network Access Control | App Service apps should have remote debugging turned off | 2.0.0 |
| 11 Access Control | 1195.01l3Organizational.1-01.l | 1195.01l3Organizational.1-01.l 01.04 Network Access Control | Function apps should have remote debugging turned off | 2.0.0 |
| 12 Audit Logging & Monitoring | 1209.09aa3System.2-09.aa | 1209.09aa3System.2-09.aa 09.10 Monitoring | App Service apps should have resource logs enabled | 2.0.1 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Function apps should have remote debugging turned off | 2.0.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 9.3.1.12 | Remote Access (AC-17) | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | 9.3.1.12 | Remote Access (AC-17) | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | 9.3.1.4 | Information Flow Enforcement (AC-4) | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| System and Communications Protection | 9.3.16.6 | Transmission Confidentiality and Integrity (SC-8) | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | 9.3.16.6 | Transmission Confidentiality and Integrity (SC-8) | Function apps should only be accessible over HTTPS | 5.0.0 |
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Function apps should only be accessible over HTTPS | 5.0.0 |
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Network Security | NS-8 | Detect and disable insecure services and protocols | App Service apps should use the latest TLS version | 2.0.1 |
| Network Security | NS-8 | Detect and disable insecure services and protocols | Function apps should use the latest TLS version | 2.0.1 |
| Identity Management | IM-3 | Manage application identities securely and automatically | App Service apps should use managed identity | 3.0.0 |
| Identity Management | IM-3 | Manage application identities securely and automatically | Function apps should use managed identity | 3.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | App Service apps should require FTPS only | 3.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | App Service apps should use the latest TLS version | 2.0.1 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Function apps should only be accessible over HTTPS | 5.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Function apps should require FTPS only | 3.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Function apps should use the latest TLS version | 2.0.1 |
| Logging and Threat Detection | LT-3 | Enable logging for security investigation | App Service apps should have resource logs enabled | 2.0.1 |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | App Service apps should have remote debugging turned off | 2.0.0 |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | Function apps should have remote debugging turned off | 2.0.0 |
| Posture and Vulnerability Management | PV-2 | Audit and enforce secure configurations | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | App Service apps should use managed identity | 3.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Function apps should use managed identity | 3.0.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | App Service apps should use managed identity | 3.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Function apps should use managed identity | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | App Service Environment should have internal encryption enabled | 1.0.1 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | App Service apps should require FTPS only | 3.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Function apps should require FTPS only | 3.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Function apps should use the latest TLS version | 2.0.1 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | App Service apps should have resource logs enabled | 2.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Function apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Function apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.5 | Prevent reuse of identifiers for a defined period. | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.5 | Prevent reuse of identifiers for a defined period. | Function apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.6 | Disable identifiers after a defined period of inactivity. | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | 3.5.6 | Disable identifiers after a defined period of inactivity. | Function apps should use managed identity | 3.0.0 |
NIST SP 800-53 Rev. 4
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-2 | Account Management | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-2 | Account Management | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-4 | Information Flow Enforcement | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC-17 | Remote Access | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 | Remote Access | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Function apps should have remote debugging turned off | 2.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-12 | Audit Generation | App Service apps should have resource logs enabled | 2.0.1 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | CM-6 | Configuration Settings | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Function apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | App Service apps should use managed identity | 3.0.0 |
| Identification And Authentication | IA-4 | Identifier Management | Function apps should use managed identity | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | App Service apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should require FTPS only | 3.0.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Function apps should use the latest TLS version | 2.0.1 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | App Service Environment should have internal encryption enabled | 1.0.1 |
| System And Information Integrity | SI-2 | Flaw Remediation | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Function apps should use latest 'HTTP Version' | 4.0.0 |
| System And Information Integrity | SI-2 (6) | Removal of Previous Versions of Software / Firmware | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System And Information Integrity | SI-2 (6) | Removal of Previous Versions of Software / Firmware | Function apps should use latest 'HTTP Version' | 4.0.0 |
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-2 | Account Management | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-2 | Account Management | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | App Service apps should use managed identity | 3.0.0 |
| Access Control | AC-3 | Access Enforcement | Function apps should use managed identity | 3.0.0 |
| Access Control | AC-4 | Information Flow Enforcement | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Access Control | AC-17 | Remote Access | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 | Remote Access | Function apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Monitoring and Control | App Service apps should have remote debugging turned off | 2.0.0 |
| Access Control | AC-17 (1) | Monitoring and Control | Function apps should have remote debugging turned off | 2.0.0 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | App Service apps should have resource logs enabled | 2.0.1 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | App Service apps should have resource logs enabled | 2.0.1 |
| Audit and Accountability | AU-12 | Audit Record Generation | App Service apps should have resource logs enabled | 2.0.1 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | App Service apps should have resource logs enabled | 2.0.1 |
| Configuration Management | CM-6 | Configuration Settings | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should have remote debugging turned off | 2.0.0 |
| Configuration Management | CM-6 | Configuration Settings | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Function apps should use managed identity | 3.0.0 |
| Identification and Authentication | IA-4 | Identifier Management | App Service apps should use managed identity | 3.0.0 |
| Identification and Authentication | IA-4 | Identifier Management | Function apps should use managed identity | 3.0.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | App Service apps should require FTPS only | 3.0.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | Function apps should require FTPS only | 3.0.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | Function apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | App Service apps should require FTPS only | 3.0.0 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | App Service apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | Function apps should require FTPS only | 3.0.0 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | Function apps should use the latest TLS version | 2.0.1 |
| System and Communications Protection | SC-28 | Protection of Information at Rest | App Service Environment should have internal encryption enabled | 1.0.1 |
| System and Communications Protection | SC-28 (1) | Cryptographic Protection | App Service Environment should have internal encryption enabled | 1.0.1 |
| System and Information Integrity | SI-2 | Flaw Remediation | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Function apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | SI-2 (6) | Removal of Previous Versions of Software and Firmware | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| System and Information Integrity | SI-2 (6) | Removal of Previous Versions of Software and Firmware | Function apps should use latest 'HTTP Version' | 4.0.0 |
NL BIO Cloud Theme
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | App Service apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | App Service apps that use PHP should use a specified 'PHP version' | 3.2.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | App Service apps that use Python should use a specified 'Python version' | 4.1.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Function apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Function apps that use Python should use a specified 'Python version' | 4.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | App Service apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | App Service apps that use PHP should use a specified 'PHP version' | 3.2.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | App Service apps that use Python should use a specified 'Python version' | 4.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Function apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Function apps that use Python should use a specified 'Python version' | 4.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps should have remote debugging turned off | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps that use PHP should use a specified 'PHP version' | 3.2.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | App Service apps that use Python should use a specified 'Python version' | 4.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Function apps should have remote debugging turned off | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Function apps that use Java should use a specified 'Java version' | 3.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Function apps that use Python should use a specified 'Python version' | 4.1.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | App Service apps should require FTPS only | 3.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | App Service apps should use the latest TLS version | 2.0.1 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Function apps should only be accessible over HTTPS | 5.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Function apps should require FTPS only | 3.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Function apps should use the latest TLS version | 2.0.1 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | App Service apps should use managed identity | 3.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | App Service Environment should have internal encryption enabled | 1.0.1 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Function apps should use managed identity | 3.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Function apps should use latest 'HTTP Version' | 4.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | App Service apps should use managed identity | 3.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Function apps should use managed identity | 3.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | App Service apps should use managed identity | 3.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Function apps should use managed identity | 3.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | App Service apps should use managed identity | 3.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Function apps should use managed identity | 3.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | App Service apps should require FTPS only | 3.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | App Service apps should use the latest TLS version | 2.0.1 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Function apps should only be accessible over HTTPS | 5.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Function apps should require FTPS only | 3.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Function apps should use the latest TLS version | 2.0.1 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | App Service apps should only be accessible over HTTPS | 4.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | App Service apps should require FTPS only | 3.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | App Service apps should use the latest TLS version | 2.0.1 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Function apps should only be accessible over HTTPS | 5.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Function apps should require FTPS only | 3.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Function apps should use the latest TLS version | 2.0.1 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | App Service apps should have resource logs enabled | 2.0.1 |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 3 | 3.4 | PCI DSS requirement 3.4 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Requirement 3 | 3.4 | PCI DSS requirement 3.4 | Function apps should only be accessible over HTTPS | 5.0.0 |
| Requirement 4 | 4.1 | PCI DSS requirement 4.1 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Requirement 4 | 4.1 | PCI DSS requirement 4.1 | Function apps should only be accessible over HTTPS | 5.0.0 |
| Requirement 6 | 6.5.3 | PCI DSS requirement 6.5.3 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Requirement 6 | 6.5.3 | PCI DSS requirement 6.5.3 | Function apps should only be accessible over HTTPS | 5.0.0 |
PCI DSS v4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Function apps should only be accessible over HTTPS | 5.0.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.4 | Bespoke and custom software are developed securely | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.4 | Bespoke and custom software are developed securely | Function apps should only be accessible over HTTPS | 5.0.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Information and Cyber Security | 3.1.b | Segregation of Functions-3.1 | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Information and Cyber Security | 3.1.b | Segregation of Functions-3.1 | App Service apps should have remote debugging turned off | 2.0.0 |
| Information and Cyber Security | 3.1.b | Segregation of Functions-3.1 | Function apps should have remote debugging turned off | 2.0.0 |
| Information and Cyber Security | 3.1.h | Public Key Infrastructure (PKI)-3.1 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Information and Cyber Security | 3.1.h | Public Key Infrastructure (PKI)-3.1 | App Service apps should use the latest TLS version | 2.0.1 |
| Information and Cyber Security | 3.1.h | Public Key Infrastructure (PKI)-3.1 | App Service Environment should have internal encryption enabled | 1.0.1 |
| Information and Cyber Security | 3.1.h | Public Key Infrastructure (PKI)-3.1 | Function apps should only be accessible over HTTPS | 5.0.0 |
| Information and Cyber Security | 3.1.h | Public Key Infrastructure (PKI)-3.1 | Function apps should use the latest TLS version | 2.0.1 |
| Information and Cyber Security | 3.8 | Digital Signatures-3.8 | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Information and Cyber Security | 3.8 | Digital Signatures-3.8 | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated | |
| Network Management And Security | Network Device Configuration Management-4.3 | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 | |
| Network Management And Security | Network Device Configuration Management-4.3 | App Service apps should have remote debugging turned off | 2.0.0 | |
| Audit Log Settings | Audit Log Settings-17.1 | App Service apps should have resource logs enabled | 2.0.1 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | App Service apps should only be accessible over HTTPS | 4.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | App Service apps should require FTPS only | 3.0.0 | |
| User Access Control / Management | User Access Control / Management-8.4 | App Service apps should use managed identity | 3.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | App Service apps should use the latest TLS version | 2.0.1 | |
| Network Management And Security | Network Device Configuration Management-4.3 | Function apps should have remote debugging turned off | 2.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | Function apps should only be accessible over HTTPS | 5.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | Function apps should require FTPS only | 3.0.0 | |
| User Access Control / Management | User Access Control / Management-8.4 | Function apps should use managed identity | 3.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | Function apps should use the latest TLS version | 2.0.1 |
RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Cryptography | 10.20 | Cryptography - 10.20 | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Cryptography | 10.20 | Cryptography - 10.20 | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Access Control | 10.54 | Access Control - 10.54 | App Service apps should have authentication enabled | 2.0.1 |
| Access Control | 10.54 | Access Control - 10.54 | Function apps should have authentication enabled | 3.0.0 |
| Access Control | 10.54 | Access Control - 10.54 | Function apps should use managed identity | 3.0.0 |
| Security of Digital Services | 10.66 | Security of Digital Services - 10.66 | App Service apps should have resource logs enabled | 2.0.1 |
| Security of Digital Services | 10.68 | Security of Digital Services - 10.68 | App Service apps should use the latest TLS version | 2.0.1 |
| Security of Digital Services | 10.68 | Security of Digital Services - 10.68 | Function apps should use the latest TLS version | 2.0.1 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | App Service apps should require FTPS only | 3.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | Function apps should only be accessible over HTTPS | 5.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | Function apps should require FTPS only | 3.0.0 |
| Control Measures on Cybersecurity | Appendix 5.3 | Control Measures on Cybersecurity - Appendix 5.3 | Function apps should use latest 'HTTP Version' | 4.0.0 |
| Control Measures on Cybersecurity | Appendix 5.7 | Control Measures on Cybersecurity - Appendix 5.7 | App Service apps should have remote debugging turned off | 2.0.0 |
| Control Measures on Cybersecurity | Appendix 5.7 | Control Measures on Cybersecurity - Appendix 5.7 | Function apps should have remote debugging turned off | 2.0.0 |
| Control Measures on Cybersecurity | Appendix 5.7 | Control Measures on Cybersecurity - Appendix 5.7 | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
SWIFT CSP-CSCF v2021
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SWIFT Environment Protection | 1.1 | SWIFT Environment Protection | App Service apps should have remote debugging turned off | 2.0.0 |
| SWIFT Environment Protection | 1.1 | SWIFT Environment Protection | App Service apps should use a virtual network service endpoint | 2.0.1 |
| SWIFT Environment Protection | 1.1 | SWIFT Environment Protection | Function apps should have remote debugging turned off | 2.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | App Service apps should have remote debugging turned off | 2.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Function apps should have remote debugging turned off | 2.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | App Service apps should use managed identity | 3.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | App Service apps should use the latest TLS version | 2.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | Function apps should only be accessible over HTTPS | 5.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | Function apps should use managed identity | 3.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | Function apps should use the latest TLS version | 2.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | Function apps should only be accessible over HTTPS | 5.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.6 | Operator Session Confidentiality and Integrity | App Service apps should use the latest TLS version | 2.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.6 | Operator Session Confidentiality and Integrity | Function apps should use the latest TLS version | 2.0.1 |
| Manage Identities and Segregate Privileges | 5.2 | Token Management | App Service apps should use managed identity | 3.0.0 |
| Manage Identities and Segregate Privileges | 5.2 | Token Management | Function apps should use managed identity | 3.0.0 |
| Manage Identities and Segregate Privileges | 5.4 | Physical and Logical Password Storage | App Service apps should use managed identity | 3.0.0 |
| Manage Identities and Segregate Privileges | 5.4 | Physical and Logical Password Storage | Function apps should use managed identity | 3.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Software Integrity | App Service apps should have remote debugging turned off | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Software Integrity | Function apps should have remote debugging turned off | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | App Service apps should have remote debugging turned off | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Function apps should have remote debugging turned off | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
SWIFT CSP-CSCF v2022
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | App Service apps should use a virtual network service endpoint | 2.0.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | App Service apps should have resource logs enabled | 2.0.1 |
System and Organization Controls (SOC) 2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | App Service apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Function apps should only be accessible over HTTPS | 5.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Function apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Function apps should use the latest TLS version | 2.0.1 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | App Service apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Function apps should only be accessible over HTTPS | 5.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Function apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Function apps should use the latest TLS version | 2.0.1 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | App Service apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Function apps should only be accessible over HTTPS | 5.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Function apps should require FTPS only | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Function apps should use the latest TLS version | 2.0.1 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | App Service apps should have remote debugging turned off | 2.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Function apps should have remote debugging turned off | 2.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Function apps should use latest 'HTTP Version' | 4.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | 3.1.0-deprecated |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | App Service apps should have Client Certificates (Incoming client certificates) enabled | 1.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | App Service apps should have remote debugging turned off | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | App Service apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | App Service apps should use latest 'HTTP Version' | 4.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Function apps should have remote debugging turned off | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Function apps should not have CORS configured to allow every resource to access your apps | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Function apps should use latest 'HTTP Version' | 4.0.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Data in transit protection | 1 | Data in transit protection | App Service apps should only be accessible over HTTPS | 4.0.0 |
| Data in transit protection | 1 | Data in transit protection | Function apps should only be accessible over HTTPS | 5.0.0 |
| External interface protection | 11 | External interface protection | App Service apps should have remote debugging turned off | 2.0.0 |
| External interface protection | 11 | External interface protection | Function apps should have remote debugging turned off | 2.0.0 |
Release notes
April 2023
- App Service apps that use Java should use the latest 'Java version'
- Rename of policy to "App Service apps that use Java should use a specified 'Java version'"
- Update policy so that it requires a version specification before assignment
- App Service apps that use Python should use the latest 'Python version'
- Rename of policy to "App Service apps that use Python should use a specified 'Python version'"
- Update policy so that it requires a version specification before assignment
- Function apps that use Java should use the latest 'Java version'
- Rename of policy to "Function apps that use Java should use a specified 'Java version'"
- Update policy so that it requires a version specification before assignment
- Function apps that use Python should use the latest 'Python version'
- Rename of policy to "Function apps that use Python should use a specified 'Python version'"
- Update policy so that it requires a version specification before assignment
- App Service apps that use PHP should use the latest 'PHP version'
- Rename of policy to "App Service apps that use PHP should use a specified 'PHP version'"
- Update policy so that it requires a version specification before assignment
- App Service app slots that use Python should use a specified 'Python version'
- New policy created
- Function app slots that use Python should use a specified 'Python version'
- New policy created
- App Service app slots that use PHP should use a specified 'PHP version'
- New policy created
- App Service app slots that use Java should use a specified 'Java version'
- New policy created
- Function app slots that use Java should use a specified 'Java version'
- New policy created
November 2022
- Deprecation of policy App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network
- Replaced by a policy with the same display name based on the site property to support Deny effect
- Deprecation of policy App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
- Replaced by a policy with the same display name based on the site property to support Deny effect
- App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network
- New policy created
- App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
- New policy created
- App Service apps should enable configuration routing to Azure Virtual Network
- New policy created
- App Service app slots should enable configuration routing to Azure Virtual Network
- New policy created
October 2022
- Function app slots should have remote debugging turned off
- New policy created
- App Service app slots should have remote debugging turned off
- New policy created
- Function app slots should use latest 'HTTP Version'
- New policy created
- Function app slots should use the latest TLS version
- New policy created
- App Service app slots should use the latest TLS version
- New policy created
- App Service app slots should have resource logs enabled
- New policy created
- App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
- New policy created
- App Service app slots should use managed identity
- New policy created
- App Service app slots should use latest 'HTTP Version'
- New policy created
- Deprecation of policy Configure App Services to disable public network access
- Replaced by "Configure App Service apps to disable public network access"
- Deprecation of policy App Services should disable public network access
- Replaced by "App Service apps should disable public network access" to support Deny effect
- App Service apps should disable public network access
- New policy created
- App Service app slots should disable public network access
- New policy created
- Configure App Service apps to disable public network access
- New policy created
- Configure App Service app slots to disable public network access
- New policy created
- Function apps should disable public network access
- New policy created
- Function app slots should disable public network access
- New policy created
- Configure Function apps to disable public network access
- New policy created
- Configure Function app slots to disable public network access
- New policy created
- Configure App Service app slots to turn off remote debugging
- New policy created
- Configure Function app slots to turn off remote debugging
- New policy created
- Configure App Service app slots to use the latest TLS version
- New policy created
- Configure Function app slots to use the latest TLS version
- New policy created
- App Service apps should use latest 'HTTP Version'
- Update scope to include Windows apps
- Function apps should use latest 'HTTP Version'
- Update scope to include Windows apps
- App Service Environment apps should not be reachable over public internet
- Modify policy definition to remove check on API version
September 2022
- App Service apps should be injected into a virtual network
- Update scope of policy to remove slots
- Creation of "App Service app slots should be injected into a virtual network" to monitor slots
- Update scope of policy to remove slots
- App Service app slots should be injected into a virtual network
- New policy created
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Update scope of policy to remove slots
- Creation of "Function app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
- Update scope of policy to remove slots
- Function app slots should have 'Client Certificates (Incoming client certificates)' enabled
- New policy created
- Function apps should use an Azure file share for its content directory
- Update scope of policy to remove slots
- Creation of "Function app slots should use an Azure file share for its content directory" to monitor slots
- Update scope of policy to remove slots
- Function app slots should use an Azure file share for its content directory
- New policy created
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- Update scope of policy to remove slots
- Creation of "App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
- Update scope of policy to remove slots
- App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled
- New policy created
- App Service apps should use an Azure file share for its content directory
- Update scope of policy to remove slots
- Creation of "App Service app slots should use an Azure file share for its content directory" to monitor slots
- Update scope of policy to remove slots
- App Service app slots should use an Azure file share for its content directory
- New policy created
- Function app slots should require FTPS only
- New policy created
- App Service app slots should require FTPS only
- New policy created
- Function app slots should not have CORS configured to allow every resource to access your apps
- New policy created
- App Service app slots should not have CORS configured to allow every resource to access your app
- New policy created
- Function apps should only be accessible over HTTPS
- Update scope of policy to remove slots
- Creation of "Function app slots should only be accessible over HTTPS" to monitor slots
- Add "Deny" effect
- Creation of "Configure Function apps to only be accessible over HTTPS" for enforcement of policy
- Update scope of policy to remove slots
- Function app slots should only be accessible over HTTPS
- New policy created
- Configure Function apps to only be accessible over HTTPS
- New policy created
- Configure Function app slots to only be accessible over HTTPS
- New policy created
- App Service apps should use a SKU that supports private link
- Update list of supported SKUs of policy to include the Workflow Standard tier for Logic Apps
- Configure App Service apps to use the latest TLS version
- New policy created
- Configure Function apps to use the latest TLS version
- New policy created
- Configure App Service apps to turn off remote debugging
- New policy created
- Configure Function apps to turn off remote debugging
- New policy created
August 2022
- App Service apps should only be accessible over HTTPS
- Update scope of policy to remove slots
- Creation of "App Service app slots should only be accessible over HTTPS" to monitor slots
- Add "Deny" effect
- Creation of "Configure App Service apps to only be accessible over HTTPS" for enforcement of policy
- Update scope of policy to remove slots
- App Service app slots should only be accessible over HTTPS
- New policy created
- Configure App Service apps to only be accessible over HTTPS
- New policy created
- Configure App Service app slots to only be accessible over HTTPS
- New policy created
July 2022
- Deprecation of the following policies:
- Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Ensure that 'Python version' is the latest, if used as a part of the API app
- CORS should not allow every resource to access your API App
- Managed identity should be used in your API App
- Remote debugging should be turned off for API Apps
- Ensure that 'PHP version' is the latest, if used as a part of the API app
- API apps should use an Azure file share for its content directory
- FTPS only should be required in your API App
- Ensure that 'Java version' is the latest, if used as a part of the API app
- Ensure that 'HTTP Version' is the latest, if used to run the API app
- Latest TLS version should be used in your API App
- Authentication should be enabled on your API app
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Update scope of policy to include slots
- Update scope of policy to exclude Logic apps
- Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
- Update scope of policy to include slots
- Update scope of policy to include all app types except Function apps
- Ensure that 'Python version' is the latest, if used as a part of the Web app
- Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
- Update scope of policy to include all app types except Function apps
- Ensure that 'Python version' is the latest, if used as a part of the Function app
- Rename of policy to "Function apps that use Python should use the latest 'Python version'"
- Update scope of policy to exclude Logic apps
- CORS should not allow every resource to access your Web Applications
- Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
- Update scope of policy to include all app types except Function apps
- CORS should not allow every resource to access your Function Apps
- Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
- Update scope of policy to exclude Logic apps
- Managed identity should be used in your Function App
- Rename of policy to "Function apps should use managed identity"
- Update scope of policy to exclude Logic apps
- Managed identity should be used in your Web App
- Rename of policy to "App Service apps should use managed identity"
- Update scope of policy to include all app types except Function apps
- Remote debugging should be turned off for Function Apps
- Rename of policy to "Function apps should have remote debugging turned off"
- Update scope of policy to exclude Logic apps
- Remote debugging should be turned off for Web Applications
- Rename of policy to "App Service apps should have remote debugging turned off"
- Update scope of policy to include all app types except Function apps
- Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
- Update scope of policy to include all app types except Function apps
- App Service slots should have local authentication methods disabled for SCM site deployment
- Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
- App Service should have local authentication methods disabled for SCM site deployments
- Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
- App Service slots should have local authentication methods disabled for FTP deployments
- Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
- App Service should have local authentication methods disabled for FTP deployments
- Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
- Function apps should use an Azure file share for its content directory
- Update scope of policy to include slots
- Update scope of policy to exclude Logic apps
- Web apps should use an Azure file share for its content directory
- Rename of policy to "App Service apps should use an Azure file share for its content directory"
- Update scope of policy to include slots
- Update scope of policy to include all app types except Function apps
- FTPS only should be required in your Function App
- Rename of policy to "Function apps should require FTPS only"
- Update scope of policy to exclude Logic apps
- FTPS should be required in your Web App
- Rename of policy to "App Service apps should require FTPS only"
- Update scope of policy to include all app types except Function apps
- Ensure that 'Java version' is the latest, if used as a part of the Function app
- Rename of policy to "Function apps that use Java should use the latest 'Java version'"
- Update scope of policy to exclude Logic apps
- Ensure that 'Java version' is the latest, if used as a part of the Web app
- Rename of policy to "App Service apps that use Java should use the latest 'Java version"
- Update scope of policy to include all app types except Function apps
- App Service should use private link
- Rename of policy to "App Service apps should use private link"
- Configure App Services to use private DNS zones
- Rename of policy to "Configure App Service apps to use private DNS zones"
- App Service Apps should be injected into a virtual network
- Rename of policy to "App Service apps should be injected into a virtual network"
- Update scope of policy to include slots
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Rename of policy to "App Service apps should use latest 'HTTP Version'"
- Update scope of policy to include all app types except Function apps
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Rename of policy to "Function apps should use latest 'HTTP Version'"
- Update scope of policy to exclude Logic apps
- Latest TLS version should be used in your Web App
- Rename of policy to "App Service apps should use the latest TLS version"
- Update scope of policy to include all app types except Function apps
- Latest TLS version should be used in your Function App
- Rename of policy to "Function apps should use the latest TLS version"
- Update scope of policy to exclude Logic apps
- App Service Environment should disable TLS 1.0 and 1.1
- Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
- Resource logs in App Services should be enabled
- Rename of policy to "App Service apps should have resource logs enabled"
- Authentication should be enabled on your web app
- Rename of policy to "App Service apps should have authentication enabled"
- Authentication should be enabled on your Function app
- Rename of policy to "Function apps should have authentication enabled"
- Update scope of policy to exclude Logic apps
- App Service Environment should enable internal encryption
- Rename of policy to "App Service Environment should have internal encryption enabled"
- Function apps should only be accessible over HTTPS
- Update scope of policy to exclude Logic apps
- App Service should use a virtual network service endpoint
- Rename of policy to "App Service apps should use a virtual network service endpoint"
- Update scope of policy to include all app types except Function apps
June 2022
- Deprecation of policy API App should only be accessible over HTTPS
- Web Application should only be accessible over HTTPS
- Rename of policy to "App Service apps should only be accessible over HTTPS"
- Update scope of policy to include all app types except Function apps
- Update scope of policy to include slots
- Function apps should only be accessible over HTTPS
- Update scope of policy to include slots
- App Service apps should use a SKU that supports private link
- Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
- Update list of supported SKUs of policy to include the Basic and Standard tiers
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for