Azure Policy Regulatory Compliance controls for Azure App Service

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure App Service. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 App Service apps should use the latest TLS version 2.0.1
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Function apps should use the latest TLS version 2.0.1
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 App Service apps should have remote debugging turned off 2.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Function apps should have remote debugging turned off 2.0.0
Guidelines for Software Development - Web application development 1424 Web browser-based security controls - 1424 App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 App Service apps should only be accessible over HTTPS 4.0.0
Guidelines for Software Development - Web application development 1552 Web application interactions - 1552 Function apps should only be accessible over HTTPS 5.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Function apps should only be accessible over HTTPS 5.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
9 AppService 9.1 Ensure App Service Authentication is set on Azure App Service App Service apps should have authentication enabled 2.0.1
9 AppService 9.1 Ensure App Service Authentication is set on Azure App Service Function apps should have authentication enabled 3.0.0
9 AppService 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app App Service apps should use latest 'HTTP Version' 4.0.0
9 AppService 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Function apps should use latest 'HTTP Version' 4.0.0
9 AppService 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 4.0.0
9 AppService 9.3 Ensure web app is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.1
9 AppService 9.3 Ensure web app is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.1
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
5 Logging and Monitoring 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. App Service apps should have resource logs enabled 2.0.1
9 AppService 9.1 Ensure App Service Authentication is set on Azure App Service App Service apps should have authentication enabled 2.0.1
9 AppService 9.1 Ensure App Service Authentication is set on Azure App Service Function apps should have authentication enabled 3.0.0
9 AppService 9.10 Ensure FTP deployments are disabled App Service apps should require FTPS only 3.0.0
9 AppService 9.10 Ensure FTP deployments are disabled Function apps should require FTPS only 3.0.0
9 AppService 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 4.0.0
9 AppService 9.3 Ensure web app is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.1
9 AppService 9.3 Ensure web app is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.1
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0
9 AppService 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app App Service apps should use latest 'HTTP Version' 4.0.0
9 AppService 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Function apps should use latest 'HTTP Version' 4.0.0

CIS Microsoft Azure Foundations Benchmark 1.4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
5 Logging and Monitoring 5.3 Ensure that Diagnostic Logs Are Enabled for All Services that Support it. App Service apps should have resource logs enabled 2.0.1
9 AppService 9.1 Ensure App Service Authentication is set up for apps in Azure App Service App Service apps should have authentication enabled 2.0.1
9 AppService 9.1 Ensure App Service Authentication is set up for apps in Azure App Service Function apps should have authentication enabled 3.0.0
9 AppService 9.10 Ensure FTP deployments are Disabled App Service apps should require FTPS only 3.0.0
9 AppService 9.10 Ensure FTP deployments are Disabled Function apps should require FTPS only 3.0.0
9 AppService 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 4.0.0
9 AppService 9.3 Ensure Web App is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.1
9 AppService 9.3 Ensure Web App is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.1
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
9 AppService 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
9 AppService 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0
9 AppService 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App App Service apps should use latest 'HTTP Version' 4.0.0
9 AppService 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App Function apps should use latest 'HTTP Version' 4.0.0

CIS Microsoft Azure Foundations Benchmark 2.0.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
5 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it App Service apps should have resource logs enabled 2.0.1
9 9.1 Ensure App Service Authentication is set up for apps in Azure App Service App Service apps should have authentication enabled 2.0.1
9 9.1 Ensure App Service Authentication is set up for apps in Azure App Service Function apps should have authentication enabled 3.0.0
9 9.10 Ensure FTP deployments are Disabled App Service apps should require FTPS only 3.0.0
9 9.10 Ensure FTP deployments are Disabled Function apps should require FTPS only 3.0.0
9 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service App Service apps should only be accessible over HTTPS 4.0.0
9 9.3 Ensure Web App is using the latest version of TLS encryption App Service apps should use the latest TLS version 2.0.1
9 9.3 Ensure Web App is using the latest version of TLS encryption Function apps should use the latest TLS version 2.0.1
9 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
9 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
9 9.5 Ensure that Register with Azure Active Directory is enabled on App Service App Service apps should use managed identity 3.0.0
9 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Function apps should use managed identity 3.0.0
9 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App App Service app slots that use PHP should use a specified 'PHP version' 1.0.0
9 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App App Service apps that use PHP should use a specified 'PHP version' 3.2.0
9 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App App Service app slots that use Python should use a specified 'Python version' 1.0.0
9 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App App Service apps that use Python should use a specified 'Python version' 4.1.0
9 9.8 Ensure that 'Java version' is the latest, if used to run the Web App Function app slots that use Java should use a specified 'Java version' 1.0.0
9 9.8 Ensure that 'Java version' is the latest, if used to run the Web App Function apps that use Java should use a specified 'Java version' 3.1.0
9 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App App Service apps should use latest 'HTTP Version' 4.0.0
9 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App Function apps should use latest 'HTTP Version' 4.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). App Service apps should have remote debugging turned off 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Function apps should have remote debugging turned off 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should only be accessible over HTTPS 4.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should only be accessible over HTTPS 5.0.0
Access Control AC.2.013 Monitor and control remote access sessions. App Service apps should have remote debugging turned off 2.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Function apps should have remote debugging turned off 2.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. App Service apps should have resource logs enabled 2.0.1
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Function apps should have remote debugging turned off 2.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. App Service apps should only be accessible over HTTPS 4.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. App Service apps should use the latest TLS version 2.0.1
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Function apps should only be accessible over HTTPS 5.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Function apps should use the latest TLS version 2.0.1
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. App Service apps should use the latest TLS version 2.0.1
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Function apps should use the latest TLS version 2.0.1
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should use the latest TLS version 2.0.1
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should use the latest TLS version 2.0.1
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. App Service apps should use the latest TLS version 2.0.1
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Function apps should use the latest TLS version 2.0.1
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. App Service apps should use the latest TLS version 2.0.1
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Function apps should use the latest TLS version 2.0.1

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-12 Audit Generation App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) App Service apps should use managed identity 3.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) Function apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest App Service Environment should have internal encryption enabled 1.0.1
System And Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System And Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 4.0.0
System And Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 4.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
Audit And Accountability AU-12 Audit Generation App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Configuration Management CM-6 Configuration Settings App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) App Service apps should use managed identity 3.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) Function apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest App Service Environment should have internal encryption enabled 1.0.1
System And Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System And Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 4.0.0
System And Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 4.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identification of Risks Related to External Parties 1402.05i1Organizational.45 - 05.i Remote access connections between the organization and external parties are encrypted. Function apps should only be accessible over HTTPS 5.0.0
Identification of Risks Related to External Parties 1403.05i1Organizational.67 - 05.i Access granted to external parties is limited to the minimum necessary and granted only for the duration required. App Service apps should only be accessible over HTTPS 4.0.0
06 Configuration Management 0662.09sCSPOrganizational.2-09.s 0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
08 Network Protection 0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 01.04 Network Access Control App Service apps should use a virtual network service endpoint 2.0.1
08 Network Protection 0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 01.04 Network Access Control App Service apps should use a virtual network service endpoint 2.0.1
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control App Service apps should only be accessible over HTTPS 4.0.0
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control App Service apps should use the latest TLS version 2.0.1
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Function apps should only be accessible over HTTPS 5.0.0
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Function apps should use the latest TLS version 2.0.1
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control App Service apps should only be accessible over HTTPS 4.0.0
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control App Service apps should use the latest TLS version 2.0.1
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control Function apps should only be accessible over HTTPS 5.0.0
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control Function apps should use the latest TLS version 2.0.1
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control App Service apps should only be accessible over HTTPS 4.0.0
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control App Service apps should use the latest TLS version 2.0.1
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control Function apps should only be accessible over HTTPS 5.0.0
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control Function apps should use the latest TLS version 2.0.1
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control App Service apps should only be accessible over HTTPS 4.0.0
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control App Service apps should use the latest TLS version 2.0.1
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control Function apps should only be accessible over HTTPS 5.0.0
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control Function apps should use the latest TLS version 2.0.1
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control App Service apps should only be accessible over HTTPS 4.0.0
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control App Service apps should use the latest TLS version 2.0.1
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control Function apps should only be accessible over HTTPS 5.0.0
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control Function apps should use the latest TLS version 2.0.1
08 Network Protection 0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 09.06 Network Security Management App Service apps should use a virtual network service endpoint 2.0.1
08 Network Protection 0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 01.04 Network Access Control App Service apps should use a virtual network service endpoint 2.0.1
09 Transmission Protection 0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09.08 Exchange of Information App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
09 Transmission Protection 0902.09s2Organizational.13-09.s 0902.09s2Organizational.13-09.s 09.08 Exchange of Information Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
09 Transmission Protection 0912.09s1Organizational.4-09.s 0912.09s1Organizational.4-09.s 09.08 Exchange of Information App Service apps should have remote debugging turned off 2.0.0
09 Transmission Protection 0913.09s1Organizational.5-09.s 0913.09s1Organizational.5-09.s 09.08 Exchange of Information Function apps should have remote debugging turned off 2.0.0
09 Transmission Protection 0915.09s2Organizational.2-09.s 0915.09s2Organizational.2-09.s 09.08 Exchange of Information App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
09 Transmission Protection 0916.09s2Organizational.4-09.s 0916.09s2Organizational.4-09.s 09.08 Exchange of Information App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
09 Transmission Protection 0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services App Service apps should only be accessible over HTTPS 4.0.0
09 Transmission Protection 0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services App Service apps should use the latest TLS version 2.0.1
09 Transmission Protection 0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Function apps should only be accessible over HTTPS 5.0.0
09 Transmission Protection 0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Function apps should use the latest TLS version 2.0.1
09 Transmission Protection 0960.09sCSPOrganizational.1-09.s 0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
11 Access Control 1194.01l2Organizational.2-01.l 1194.01l2Organizational.2-01.l 01.04 Network Access Control App Service apps should have remote debugging turned off 2.0.0
11 Access Control 1195.01l3Organizational.1-01.l 1195.01l3Organizational.1-01.l 01.04 Network Access Control Function apps should have remote debugging turned off 2.0.0
12 Audit Logging & Monitoring 1209.09aa3System.2-09.aa 1209.09aa3System.2-09.aa 09.10 Monitoring App Service apps should have resource logs enabled 2.0.1
13 Education, Training and Awareness 1325.09s1Organizational.3-09.s 1325.09s1Organizational.3-09.s 09.08 Exchange of Information Function apps should have remote debugging turned off 2.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.12 Remote Access (AC-17) App Service apps should have remote debugging turned off 2.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Function apps should have remote debugging turned off 2.0.0
Access Control 9.3.1.4 Information Flow Enforcement (AC-4) App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Function apps should only be accessible over HTTPS 5.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls App Service apps should only be accessible over HTTPS 4.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Function apps should only be accessible over HTTPS 5.0.0

Microsoft cloud security benchmark

The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-8 Detect and disable insecure services and protocols App Service apps should use the latest TLS version 2.0.1
Network Security NS-8 Detect and disable insecure services and protocols Function apps should use the latest TLS version 2.0.1
Identity Management IM-3 Manage application identities securely and automatically App Service apps should use managed identity 3.0.0
Identity Management IM-3 Manage application identities securely and automatically Function apps should use managed identity 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should only be accessible over HTTPS 4.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should require FTPS only 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit App Service apps should use the latest TLS version 2.0.1
Data Protection DP-3 Encrypt sensitive data in transit Function apps should only be accessible over HTTPS 5.0.0
Data Protection DP-3 Encrypt sensitive data in transit Function apps should require FTPS only 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit Function apps should use the latest TLS version 2.0.1
Logging and Threat Detection LT-3 Enable logging for security investigation App Service apps should have resource logs enabled 2.0.1
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should have remote debugging turned off 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations Function apps should have remote debugging turned off 2.0.0
Posture and Vulnerability Management PV-2 Audit and enforce secure configurations Function apps should not have CORS configured to allow every resource to access your apps 2.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). App Service apps should have remote debugging turned off 2.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). App Service apps should use managed identity 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Function apps should have remote debugging turned off 2.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Function apps should use managed identity 3.0.0
Access Control 3.1.12 Monitor and control remote access sessions. App Service apps should have remote debugging turned off 2.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Function apps should have remote debugging turned off 2.0.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should have remote debugging turned off 2.0.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. App Service apps should use managed identity 3.0.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should have remote debugging turned off 2.0.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Function apps should use managed identity 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. App Service Environment should have internal encryption enabled 1.0.1
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should require FTPS only 3.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. App Service apps should use the latest TLS version 2.0.1
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should require FTPS only 3.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Function apps should use the latest TLS version 2.0.1
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. App Service apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Function apps should use latest 'HTTP Version' 4.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity App Service apps should have resource logs enabled 2.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. App Service apps should have resource logs enabled 2.0.1
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. App Service apps should have remote debugging turned off 2.0.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Function apps should have remote debugging turned off 2.0.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. App Service apps should have remote debugging turned off 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Function apps should have remote debugging turned off 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication 3.5.1 Identify system users, processes acting on behalf of users, and devices. App Service apps should use managed identity 3.0.0
Identification and Authentication 3.5.1 Identify system users, processes acting on behalf of users, and devices. Function apps should use managed identity 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. App Service apps should use managed identity 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Function apps should use managed identity 3.0.0
Identification and Authentication 3.5.5 Prevent reuse of identifiers for a defined period. App Service apps should use managed identity 3.0.0
Identification and Authentication 3.5.5 Prevent reuse of identifiers for a defined period. Function apps should use managed identity 3.0.0
Identification and Authentication 3.5.6 Disable identifiers after a defined period of inactivity. App Service apps should use managed identity 3.0.0
Identification and Authentication 3.5.6 Disable identifiers after a defined period of inactivity. Function apps should use managed identity 3.0.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Automated Monitoring / Control Function apps should have remote debugging turned off 2.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-12 Audit Generation App Service apps should have resource logs enabled 2.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Configuration Management CM-6 Configuration Settings App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) App Service apps should use managed identity 3.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) Function apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification And Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should only be accessible over HTTPS 4.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection App Service apps should use the latest TLS version 2.0.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should only be accessible over HTTPS 5.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should require FTPS only 3.0.0
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Function apps should use the latest TLS version 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest App Service Environment should have internal encryption enabled 1.0.1
System And Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System And Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 4.0.0
System And Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 4.0.0
System And Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware App Service apps should use latest 'HTTP Version' 4.0.0
System And Information Integrity SI-2 (6) Removal of Previous Versions of Software / Firmware Function apps should use latest 'HTTP Version' 4.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management App Service apps should use managed identity 3.0.0
Access Control AC-2 Account Management Function apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement App Service apps should use managed identity 3.0.0
Access Control AC-3 Access Enforcement Function apps should use managed identity 3.0.0
Access Control AC-4 Information Flow Enforcement App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Access Control AC-17 Remote Access App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 Remote Access Function apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Monitoring and Control App Service apps should have remote debugging turned off 2.0.0
Access Control AC-17 (1) Monitoring and Control Function apps should have remote debugging turned off 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 Audit Record Generation App Service apps should have resource logs enabled 2.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail App Service apps should have resource logs enabled 2.0.1
Configuration Management CM-6 Configuration Settings [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Configuration Management CM-6 Configuration Settings App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Configuration Management CM-6 Configuration Settings App Service apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should have remote debugging turned off 2.0.0
Configuration Management CM-6 Configuration Settings Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) App Service apps should use managed identity 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Function apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management App Service apps should use managed identity 3.0.0
Identification and Authentication IA-4 Identifier Management Function apps should use managed identity 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity App Service apps should use the latest TLS version 2.0.1
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Function apps should use the latest TLS version 2.0.1
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should only be accessible over HTTPS 4.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection App Service apps should use the latest TLS version 2.0.1
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should only be accessible over HTTPS 5.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should require FTPS only 3.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Function apps should use the latest TLS version 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest App Service Environment should have internal encryption enabled 1.0.1
System and Communications Protection SC-28 (1) Cryptographic Protection App Service Environment should have internal encryption enabled 1.0.1
System and Information Integrity SI-2 Flaw Remediation App Service apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity SI-2 Flaw Remediation Function apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware App Service apps should use latest 'HTTP Version' 4.0.0
System and Information Integrity SI-2 (6) Removal of Previous Versions of Software and Firmware Function apps should use latest 'HTTP Version' 4.0.0

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. App Service apps should use latest 'HTTP Version' 4.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. App Service apps that use Java should use a specified 'Java version' 3.1.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. App Service apps that use PHP should use a specified 'PHP version' 3.2.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. App Service apps that use Python should use a specified 'Python version' 4.1.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Function apps should use latest 'HTTP Version' 4.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Function apps that use Java should use a specified 'Java version' 3.1.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Function apps that use Python should use a specified 'Python version' 4.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. App Service apps should use latest 'HTTP Version' 4.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. App Service apps that use Java should use a specified 'Java version' 3.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. App Service apps that use PHP should use a specified 'PHP version' 3.2.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. App Service apps that use Python should use a specified 'Python version' 4.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Function apps should use latest 'HTTP Version' 4.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Function apps that use Java should use a specified 'Java version' 3.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Function apps that use Python should use a specified 'Python version' 4.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps should have remote debugging turned off 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps should use latest 'HTTP Version' 4.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps that use Java should use a specified 'Java version' 3.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps that use PHP should use a specified 'PHP version' 3.2.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. App Service apps that use Python should use a specified 'Python version' 4.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Function apps should have remote debugging turned off 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Function apps should use latest 'HTTP Version' 4.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Function apps that use Java should use a specified 'Java version' 3.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Function apps that use Python should use a specified 'Python version' 4.1.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. App Service apps should only be accessible over HTTPS 4.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. App Service apps should require FTPS only 3.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. App Service apps should use the latest TLS version 2.0.1
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Function apps should only be accessible over HTTPS 5.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Function apps should require FTPS only 3.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Function apps should use the latest TLS version 2.0.1
U.07.3 Data separation - Management features U.07.3 U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. App Service apps should use managed identity 3.0.0
U.07.3 Data separation - Management features U.07.3 U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. App Service Environment should have internal encryption enabled 1.0.1
U.07.3 Data separation - Management features U.07.3 U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. Function apps should use managed identity 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Function apps should use latest 'HTTP Version' 4.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. App Service apps should use managed identity 3.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Function apps should use managed identity 3.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. App Service apps should use managed identity 3.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Function apps should use managed identity 3.0.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. App Service apps should use managed identity 3.0.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Function apps should use managed identity 3.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. App Service apps should only be accessible over HTTPS 4.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. App Service apps should require FTPS only 3.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. App Service apps should use the latest TLS version 2.0.1
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Function apps should only be accessible over HTTPS 5.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Function apps should require FTPS only 3.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Function apps should use the latest TLS version 2.0.1
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. App Service apps should only be accessible over HTTPS 4.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. App Service apps should require FTPS only 3.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. App Service apps should use the latest TLS version 2.0.1
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Function apps should only be accessible over HTTPS 5.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Function apps should require FTPS only 3.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Function apps should use the latest TLS version 2.0.1
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. App Service apps should have resource logs enabled 2.0.1

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 3 3.4 PCI DSS requirement 3.4 App Service apps should only be accessible over HTTPS 4.0.0
Requirement 3 3.4 PCI DSS requirement 3.4 Function apps should only be accessible over HTTPS 5.0.0
Requirement 4 4.1 PCI DSS requirement 4.1 App Service apps should only be accessible over HTTPS 4.0.0
Requirement 4 4.1 PCI DSS requirement 4.1 Function apps should only be accessible over HTTPS 5.0.0
Requirement 6 6.5.3 PCI DSS requirement 6.5.3 App Service apps should only be accessible over HTTPS 4.0.0
Requirement 6 6.5.3 PCI DSS requirement 6.5.3 Function apps should only be accessible over HTTPS 5.0.0

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 03: Protect Stored Account Data 3.5.1 Primary account number (PAN) is secured wherever it is stored App Service apps should only be accessible over HTTPS 4.0.0
Requirement 03: Protect Stored Account Data 3.5.1 Primary account number (PAN) is secured wherever it is stored Function apps should only be accessible over HTTPS 5.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.2.4 Bespoke and custom software are developed securely App Service apps should only be accessible over HTTPS 4.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.2.4 Bespoke and custom software are developed securely Function apps should only be accessible over HTTPS 5.0.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information and Cyber Security 3.1.b Segregation of Functions-3.1 [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Information and Cyber Security 3.1.b Segregation of Functions-3.1 App Service apps should have remote debugging turned off 2.0.0
Information and Cyber Security 3.1.b Segregation of Functions-3.1 Function apps should have remote debugging turned off 2.0.0
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 App Service apps should only be accessible over HTTPS 4.0.0
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 App Service apps should use the latest TLS version 2.0.1
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 App Service Environment should have internal encryption enabled 1.0.1
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 Function apps should only be accessible over HTTPS 5.0.0
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 Function apps should use the latest TLS version 2.0.1
Information and Cyber Security 3.8 Digital Signatures-3.8 [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Information and Cyber Security 3.8 Digital Signatures-3.8 App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0

Reserve Bank of India IT Framework for Banks v2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Network Management And Security Network Device Configuration Management-4.3 App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Network Management And Security Network Device Configuration Management-4.3 App Service apps should have remote debugging turned off 2.0.0
Audit Log Settings Audit Log Settings-17.1 App Service apps should have resource logs enabled 2.0.1
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 App Service apps should only be accessible over HTTPS 4.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 App Service apps should require FTPS only 3.0.0
User Access Control / Management User Access Control / Management-8.4 App Service apps should use managed identity 3.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 App Service apps should use the latest TLS version 2.0.1
Network Management And Security Network Device Configuration Management-4.3 Function apps should have remote debugging turned off 2.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Function apps should not have CORS configured to allow every resource to access your apps 2.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 Function apps should only be accessible over HTTPS 5.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 Function apps should require FTPS only 3.0.0
User Access Control / Management User Access Control / Management-8.4 Function apps should use managed identity 3.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 Function apps should use the latest TLS version 2.0.1

RMIT Malaysia

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.20 Cryptography - 10.20 [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled 3.1.0-deprecated
Cryptography 10.20 Cryptography - 10.20 App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Access Control 10.54 Access Control - 10.54 App Service apps should have authentication enabled 2.0.1
Access Control 10.54 Access Control - 10.54 Function apps should have authentication enabled 3.0.0
Access Control 10.54 Access Control - 10.54 Function apps should use managed identity 3.0.0
Security of Digital Services 10.66 Security of Digital Services - 10.66 App Service apps should have resource logs enabled 2.0.1
Security of Digital Services 10.68 Security of Digital Services - 10.68 App Service apps should use the latest TLS version 2.0.1
Security of Digital Services 10.68 Security of Digital Services - 10.68 Function apps should use the latest TLS version 2.0.1
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should only be accessible over HTTPS 4.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should require FTPS only 3.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 App Service apps should use latest 'HTTP Version' 4.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should only be accessible over HTTPS 5.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should require FTPS only 3.0.0
Control Measures on Cybersecurity Appendix 5.3 Control Measures on Cybersecurity - Appendix 5.3 Function apps should use latest 'HTTP Version' 4.0.0
Control Measures on Cybersecurity Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 App Service apps should have remote debugging turned off 2.0.0
Control Measures on Cybersecurity Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Function apps should have remote debugging turned off 2.0.0
Control Measures on Cybersecurity Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Function apps should not have CORS configured to allow every resource to access your apps 2.0.0

SWIFT CSP-CSCF v2021

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
SWIFT Environment Protection 1.1 SWIFT Environment Protection App Service apps should have remote debugging turned off 2.0.0
SWIFT Environment Protection 1.1 SWIFT Environment Protection App Service apps should use a virtual network service endpoint 2.0.1
SWIFT Environment Protection 1.1 SWIFT Environment Protection Function apps should have remote debugging turned off 2.0.0
SWIFT Environment Protection 1.2 Operating System Privileged Account Control App Service apps should have remote debugging turned off 2.0.0
SWIFT Environment Protection 1.2 Operating System Privileged Account Control Function apps should have remote debugging turned off 2.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security App Service apps should only be accessible over HTTPS 4.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security App Service apps should use managed identity 3.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security App Service apps should use the latest TLS version 2.0.1
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Function apps should only be accessible over HTTPS 5.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Function apps should use managed identity 3.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Function apps should use the latest TLS version 2.0.1
Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security App Service apps should have Client Certificates (Incoming client certificates) enabled 1.0.0
Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security App Service apps should only be accessible over HTTPS 4.0.0
Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security Function apps should only be accessible over HTTPS 5.0.0
Reduce Attack Surface and Vulnerabilities 2.5A External Transmission Data Protection App Service apps should only be accessible over HTTPS 4.0.0
Reduce Attack Surface and Vulnerabilities 2.5A External Transmission Data Protection Function apps should only be accessible over HTTPS 5.0.0
Reduce Attack Surface and Vulnerabilities 2.6 Operator Session Confidentiality and Integrity App Service apps should use the latest TLS version 2.0.1
Reduce Attack Surface and Vulnerabilities 2.6 Operator Session Confidentiality and Integrity Function apps should use the latest TLS version 2.0.1
Manage Identities and Segregate Privileges 5.2 Token Management App Service apps should use managed identity 3.0.0
Manage Identities and Segregate Privileges 5.2 Token Management Function apps should use managed identity 3.0.0
Manage Identities and Segregate Privileges 5.4 Physical and Logical Password Storage App Service apps should use managed identity 3.0.0
Manage Identities and Segregate Privileges 5.4 Physical and Logical Password Storage Function apps should use managed identity 3.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.2 Software Integrity App Service apps should have remote debugging turned off 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.2 Software Integrity Function apps should have remote debugging turned off 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.5A Intrusion Detection App Service apps should have remote debugging turned off 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.5A Intrusion Detection App Service apps should not have CORS configured to allow every resource to access your apps 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.5A Intrusion Detection Function apps should have remote debugging turned off 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.5A Intrusion Detection Function apps should not have CORS configured to allow every resource to access your apps 2.0.0

SWIFT CSP-CSCF v2022

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
1. Restrict Internet Access & Protect Critical Systems from General IT Environment 1.1 Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. App Service apps should use a virtual network service endpoint 2.0.1
1. Restrict Internet Access & Protect Critical Systems from General IT Environment 1.5A Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. App Service apps should use a virtual network service endpoint 2.0.1
6. Detect Anomalous Activity to Systems or Transaction Records 6.4 Record security events and detect anomalous actions and operations within the local SWIFT environment. App Service apps should have resource logs enabled 2.0.1

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection App Service apps should only be accessible over HTTPS 4.0.0
Data in transit protection 1 Data in transit protection Function apps should only be accessible over HTTPS 5.0.0
External interface protection 11 External interface protection App Service apps should have remote debugging turned off 2.0.0
External interface protection 11 External interface protection Function apps should have remote debugging turned off 2.0.0

Release notes

April 2023

  • App Service apps that use Java should use the latest 'Java version'
    • Rename of policy to "App Service apps that use Java should use a specified 'Java version'"
    • Update policy so that it requires a version specification before assignment
  • App Service apps that use Python should use the latest 'Python version'
    • Rename of policy to "App Service apps that use Python should use a specified 'Python version'"
    • Update policy so that it requires a version specification before assignment
  • Function apps that use Java should use the latest 'Java version'
    • Rename of policy to "Function apps that use Java should use a specified 'Java version'"
    • Update policy so that it requires a version specification before assignment
  • Function apps that use Python should use the latest 'Python version'
    • Rename of policy to "Function apps that use Python should use a specified 'Python version'"
    • Update policy so that it requires a version specification before assignment
  • App Service apps that use PHP should use the latest 'PHP version'
    • Rename of policy to "App Service apps that use PHP should use a specified 'PHP version'"
    • Update policy so that it requires a version specification before assignment
  • App Service app slots that use Python should use a specified 'Python version'
    • New policy created
  • Function app slots that use Python should use a specified 'Python version'
    • New policy created
  • App Service app slots that use PHP should use a specified 'PHP version'
    • New policy created
  • App Service app slots that use Java should use a specified 'Java version'
    • New policy created
  • Function app slots that use Java should use a specified 'Java version'
    • New policy created

November 2022

  • Deprecation of policy App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network
    • Replaced by a policy with the same display name based on the site property to support Deny effect
  • Deprecation of policy App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
    • Replaced by a policy with the same display name based on the site property to support Deny effect
  • App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network
    • New policy created
  • App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
    • New policy created
  • App Service apps should enable configuration routing to Azure Virtual Network
    • New policy created
  • App Service app slots should enable configuration routing to Azure Virtual Network
    • New policy created

October 2022

  • Function app slots should have remote debugging turned off
    • New policy created
  • App Service app slots should have remote debugging turned off
    • New policy created
  • Function app slots should use latest 'HTTP Version'
    • New policy created
  • Function app slots should use the latest TLS version
    • New policy created
  • App Service app slots should use the latest TLS version
    • New policy created
  • App Service app slots should have resource logs enabled
    • New policy created
  • App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network
    • New policy created
  • App Service app slots should use managed identity
    • New policy created
  • App Service app slots should use latest 'HTTP Version'
    • New policy created
  • Deprecation of policy Configure App Services to disable public network access
    • Replaced by "Configure App Service apps to disable public network access"
  • Deprecation of policy App Services should disable public network access
    • Replaced by "App Service apps should disable public network access" to support Deny effect
  • App Service apps should disable public network access
    • New policy created
  • App Service app slots should disable public network access
    • New policy created
  • Configure App Service apps to disable public network access
    • New policy created
  • Configure App Service app slots to disable public network access
    • New policy created
  • Function apps should disable public network access
    • New policy created
  • Function app slots should disable public network access
    • New policy created
  • Configure Function apps to disable public network access
    • New policy created
  • Configure Function app slots to disable public network access
    • New policy created
  • Configure App Service app slots to turn off remote debugging
    • New policy created
  • Configure Function app slots to turn off remote debugging
    • New policy created
  • Configure App Service app slots to use the latest TLS version
    • New policy created
  • Configure Function app slots to use the latest TLS version
    • New policy created
  • App Service apps should use latest 'HTTP Version'
    • Update scope to include Windows apps
  • Function apps should use latest 'HTTP Version'
    • Update scope to include Windows apps
  • App Service Environment apps should not be reachable over public internet
    • Modify policy definition to remove check on API version

September 2022

  • App Service apps should be injected into a virtual network
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should be injected into a virtual network" to monitor slots
  • App Service app slots should be injected into a virtual network
    • New policy created
  • Function apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to remove slots
      • Creation of "Function app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
  • Function app slots should have 'Client Certificates (Incoming client certificates)' enabled
    • New policy created
  • Function apps should use an Azure file share for its content directory
    • Update scope of policy to remove slots
      • Creation of "Function app slots should use an Azure file share for its content directory" to monitor slots
  • Function app slots should use an Azure file share for its content directory
    • New policy created
  • App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
  • App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled
    • New policy created
  • App Service apps should use an Azure file share for its content directory
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should use an Azure file share for its content directory" to monitor slots
  • App Service app slots should use an Azure file share for its content directory
    • New policy created
  • Function app slots should require FTPS only
    • New policy created
  • App Service app slots should require FTPS only
    • New policy created
  • Function app slots should not have CORS configured to allow every resource to access your apps
    • New policy created
  • App Service app slots should not have CORS configured to allow every resource to access your app
    • New policy created
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to remove slots
      • Creation of "Function app slots should only be accessible over HTTPS" to monitor slots
    • Add "Deny" effect
    • Creation of "Configure Function apps to only be accessible over HTTPS" for enforcement of policy
  • Function app slots should only be accessible over HTTPS
    • New policy created
  • Configure Function apps to only be accessible over HTTPS
    • New policy created
  • Configure Function app slots to only be accessible over HTTPS
    • New policy created
  • App Service apps should use a SKU that supports private link
    • Update list of supported SKUs of policy to include the Workflow Standard tier for Logic Apps
  • Configure App Service apps to use the latest TLS version
    • New policy created
  • Configure Function apps to use the latest TLS version
    • New policy created
  • Configure App Service apps to turn off remote debugging
    • New policy created
  • Configure Function apps to turn off remote debugging
    • New policy created

August 2022

  • App Service apps should only be accessible over HTTPS
    • Update scope of policy to remove slots
      • Creation of "App Service app slots should only be accessible over HTTPS" to monitor slots
    • Add "Deny" effect
    • Creation of "Configure App Service apps to only be accessible over HTTPS" for enforcement of policy
  • App Service app slots should only be accessible over HTTPS
    • New policy created
  • Configure App Service apps to only be accessible over HTTPS
    • New policy created
  • Configure App Service app slots to only be accessible over HTTPS
    • New policy created

July 2022

  • Deprecation of the following policies:
    • Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure that 'Python version' is the latest, if used as a part of the API app
    • CORS should not allow every resource to access your API App
    • Managed identity should be used in your API App
    • Remote debugging should be turned off for API Apps
    • Ensure that 'PHP version' is the latest, if used as a part of the API app
    • API apps should use an Azure file share for its content directory
    • FTPS only should be required in your API App
    • Ensure that 'Java version' is the latest, if used as a part of the API app
    • Ensure that 'HTTP Version' is the latest, if used to run the API app
    • Latest TLS version should be used in your API App
    • Authentication should be enabled on your API app
  • Function apps should have 'Client Certificates (Incoming client certificates)' enabled
    • Update scope of policy to include slots
    • Update scope of policy to exclude Logic apps
  • Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
    • Update scope of policy to include slots
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Python version' is the latest, if used as a part of the Web app
    • Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Python version' is the latest, if used as a part of the Function app
    • Rename of policy to "Function apps that use Python should use the latest 'Python version'"
    • Update scope of policy to exclude Logic apps
  • CORS should not allow every resource to access your Web Applications
    • Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
    • Update scope of policy to include all app types except Function apps
  • CORS should not allow every resource to access your Function Apps
    • Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
    • Update scope of policy to exclude Logic apps
  • Managed identity should be used in your Function App
    • Rename of policy to "Function apps should use managed identity"
    • Update scope of policy to exclude Logic apps
  • Managed identity should be used in your Web App
    • Rename of policy to "App Service apps should use managed identity"
    • Update scope of policy to include all app types except Function apps
  • Remote debugging should be turned off for Function Apps
    • Rename of policy to "Function apps should have remote debugging turned off"
    • Update scope of policy to exclude Logic apps
  • Remote debugging should be turned off for Web Applications
    • Rename of policy to "App Service apps should have remote debugging turned off"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'PHP version' is the latest, if used as a part of the WEB app
    • Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
    • Update scope of policy to include all app types except Function apps
  • App Service slots should have local authentication methods disabled for SCM site deployment
    • Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
  • App Service should have local authentication methods disabled for SCM site deployments
    • Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
  • App Service slots should have local authentication methods disabled for FTP deployments
    • Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
  • App Service should have local authentication methods disabled for FTP deployments
    • Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
  • Function apps should use an Azure file share for its content directory
    • Update scope of policy to include slots
    • Update scope of policy to exclude Logic apps
  • Web apps should use an Azure file share for its content directory
    • Rename of policy to "App Service apps should use an Azure file share for its content directory"
    • Update scope of policy to include slots
    • Update scope of policy to include all app types except Function apps
  • FTPS only should be required in your Function App
    • Rename of policy to "Function apps should require FTPS only"
    • Update scope of policy to exclude Logic apps
  • FTPS should be required in your Web App
    • Rename of policy to "App Service apps should require FTPS only"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'Java version' is the latest, if used as a part of the Function app
    • Rename of policy to "Function apps that use Java should use the latest 'Java version'"
    • Update scope of policy to exclude Logic apps
  • Ensure that 'Java version' is the latest, if used as a part of the Web app
    • Rename of policy to "App Service apps that use Java should use the latest 'Java version"
    • Update scope of policy to include all app types except Function apps
  • App Service should use private link
    • Rename of policy to "App Service apps should use private link"
  • Configure App Services to use private DNS zones
    • Rename of policy to "Configure App Service apps to use private DNS zones"
  • App Service Apps should be injected into a virtual network
    • Rename of policy to "App Service apps should be injected into a virtual network"
    • Update scope of policy to include slots
  • Ensure that 'HTTP Version' is the latest, if used to run the Web app
    • Rename of policy to "App Service apps should use latest 'HTTP Version'"
    • Update scope of policy to include all app types except Function apps
  • Ensure that 'HTTP Version' is the latest, if used to run the Function app
    • Rename of policy to "Function apps should use latest 'HTTP Version'"
    • Update scope of policy to exclude Logic apps
  • Latest TLS version should be used in your Web App
    • Rename of policy to "App Service apps should use the latest TLS version"
    • Update scope of policy to include all app types except Function apps
  • Latest TLS version should be used in your Function App
    • Rename of policy to "Function apps should use the latest TLS version"
    • Update scope of policy to exclude Logic apps
  • App Service Environment should disable TLS 1.0 and 1.1
    • Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
  • Resource logs in App Services should be enabled
    • Rename of policy to "App Service apps should have resource logs enabled"
  • Authentication should be enabled on your web app
    • Rename of policy to "App Service apps should have authentication enabled"
  • Authentication should be enabled on your Function app
    • Rename of policy to "Function apps should have authentication enabled"
    • Update scope of policy to exclude Logic apps
  • App Service Environment should enable internal encryption
    • Rename of policy to "App Service Environment should have internal encryption enabled"
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to exclude Logic apps
  • App Service should use a virtual network service endpoint
    • Rename of policy to "App Service apps should use a virtual network service endpoint"
    • Update scope of policy to include all app types except Function apps

June 2022

  • Deprecation of policy API App should only be accessible over HTTPS
  • Web Application should only be accessible over HTTPS
    • Rename of policy to "App Service apps should only be accessible over HTTPS"
    • Update scope of policy to include all app types except Function apps
    • Update scope of policy to include slots
  • Function apps should only be accessible over HTTPS
    • Update scope of policy to include slots
  • App Service apps should use a SKU that supports private link
    • Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
    • Update list of supported SKUs of policy to include the Basic and Standard tiers

Next steps