Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc-enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Windows machines should meet requirements for 'Security Settings - Account Policies' 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Windows machines should be configured to use secure communication protocols 4.1.1
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Windows machines should be configured to use secure communication protocols 4.1.1
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that have accounts without passwords 3.1.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1

CIS Microsoft Azure Foundations Benchmark 2.0.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
2.1 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' Machines should be configured to periodically check for missing system updates 3.7.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should be configured to use secure communication protocols 4.1.1
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows machines should be configured to use secure communication protocols 4.1.1

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System And Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 2.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
06 Configuration Management 0605.10h1System.12-10.h 0605.10h1System.12-10.h 10.04 Security of System Files Windows machines should meet requirements for 'Security Options - Audit' 3.0.0
06 Configuration Management 0605.10h1System.12-10.h 0605.10h1System.12-10.h 10.04 Security of System Files Windows machines should meet requirements for 'System Audit Policies - Account Management' 3.0.0
06 Configuration Management 0635.10k1Organizational.12-10.k 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0636.10k2Organizational.1-10.k 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0637.10k2Organizational.2-10.k 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0638.10k2Organizational.34569-10.k 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0639.10k2Organizational.78-10.k 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0640.10k2Organizational.1012-10.k 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0641.10k2Organizational.11-10.k 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0642.10k3Organizational.12-10.k 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0643.10k3Organizational.3-10.k 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0644.10k3Organizational.4-10.k 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 3.0.0
08 Network Protection 0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 09.06 Network Security Management Windows machines should meet requirements for 'Windows Firewall Properties' 3.0.0
08 Network Protection 0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 09.06 Network Security Management Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
09 Transmission Protection 0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Audit Windows machines that do not contain the specified certificates in Trusted Root 3.0.0
11 Access Control 1123.01q1System.2-01.q 1123.01q1System.2-01.q 01.05 Operating System Access Control Audit Windows machines that have extra accounts in the Administrators group 2.0.0
11 Access Control 1125.01q2System.1-01.q 1125.01q2System.1-01.q 01.05 Operating System Access Control Audit Windows machines that have the specified members in the Administrators group 2.0.0
11 Access Control 1127.01q2System.3-01.q 1127.01q2System.3-01.q 01.05 Operating System Access Control Audit Windows machines missing any of specified members in the Administrators group 2.0.0
11 Access Control 1148.01c2System.78-01.c 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems Windows machines should meet requirements for 'Security Options - Accounts' 3.0.0
12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
12 Audit Logging & Monitoring 1217.09ab3System.3-09.ab 1217.09ab3System.3-09.ab 09.10 Monitoring Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
12 Audit Logging & Monitoring 1277.09c2Organizational.4-09.c 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
16 Business Continuity & Disaster Recovery 1637.12b2Organizational.2-12.b 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Windows machines should meet requirements for 'Security Options - Recovery console' 3.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.12 Remote Access (AC-17) Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines that have the specified members in the Administrators group 2.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Windows machines should be configured to use secure communication protocols 4.1.1
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not store passwords using reversible encryption 2.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Access Control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 3.1.0
Access Control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Access Control 9.4.3 Password management system Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Access Control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0

Microsoft cloud security benchmark

The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity Management IM-6 Use strong authentication controls Authentication to Linux machines should require SSH keys 3.2.0
Data Protection DP-3 Encrypt sensitive data in transit Windows machines should be configured to use secure communication protocols 4.1.1
Logging and Threat Detection LT-1 Enable threat detection capabilities Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Logging and Threat Detection LT-5 Centralize security log management and analysis [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Machines should be configured to periodically check for missing system updates 3.7.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities System updates should be installed on your machines (powered by Update Center) 1.0.1
Endpoint Security ES-2 Use modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that have accounts without passwords 3.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Authentication to Linux machines should require SSH keys 3.2.0
Access Control 3.1.12 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 2.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows machines should be configured to use secure communication protocols 4.1.1
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Authentication to Linux machines should require SSH keys 3.2.0
Identification and Authentication 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System And Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Monitoring and Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit and Accountability AU-12 Audit Record Generation [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability AU-12 Audit Record Generation [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC-8 (1) Cryptographic Protection Windows machines should be configured to use secure communication protocols 4.1.1
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-4 System Monitoring [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
System and Information Integrity SI-4 System Monitoring [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Windows machines should be configured to use secure communication protocols 4.1.1
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Audit Linux machines that have accounts without passwords 3.1.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Audit Linux machines that have accounts without passwords 3.1.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Audit Linux machines that have accounts without passwords 3.1.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Windows machines should be configured to use secure communication protocols 4.1.1
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Windows machines should be configured to use secure communication protocols 4.1.1
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
IT Governance 1 IT Governance-1 SQL servers on machines should have vulnerability findings resolved 1.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 SQL servers on machines should have vulnerability findings resolved 1.0.0

Reserve Bank of India IT Framework for Banks v2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Maintenance, Monitoring, And Analysis Of Audit Logs Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 1.0.1-preview
Maintenance, Monitoring, And Analysis Of Audit Logs Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines 1.0.1-preview
Authentication Framework For Customers Authentication Framework For Customers-9.1 Authentication to Linux machines should require SSH keys 3.2.0
Audit Log Settings Audit Log Settings-17.1 Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 SQL servers on machines should have vulnerability findings resolved 1.0.0
Secure Configuration Secure Configuration-5.1 Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 Windows machines should be configured to use secure communication protocols 4.1.1
Audit Log Settings Audit Log Settings-17.1 Windows machines should meet requirements of the Azure compute security baseline 2.0.0

Spain ENS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for Spain ENS. For more information about this compliance standard, see CCN-STIC 884.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Protective Measures mp.com.1 Protection of communications Windows machines should meet requirements for 'Windows Firewall Properties' 3.0.0
Protective Measures mp.com.3 Protection of communications Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Operational framework op.acc.1 Access control Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Operational framework op.acc.2 Access control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Operational framework op.acc.2 Access control Audit Linux machines that have accounts without passwords 3.1.0
Operational framework op.acc.2 Access control Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Operational framework op.acc.2 Access control Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Operational framework op.acc.2 Access control Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Operational framework op.acc.2 Access control Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Operational framework op.acc.2 Access control Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Operational framework op.acc.5 Access control Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Operational framework op.acc.6 Access control Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Operational framework op.exp.1 Operation [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory 1.0.0-preview
Operational framework op.exp.1 Operation [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory 1.3.0-preview
Operational framework op.exp.1 Operation [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory 1.0.0-preview
Operational framework op.exp.1 Operation [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory 1.0.0-preview
Operational framework op.exp.10 Operation Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Operational framework op.exp.2 Operation Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.exp.2 Operation SQL servers on machines should have vulnerability findings resolved 1.0.0
Operational framework op.exp.3 Operation Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.exp.3 Operation SQL servers on machines should have vulnerability findings resolved 1.0.0
Operational framework op.exp.4 Operation Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.exp.4 Operation SQL servers on machines should have vulnerability findings resolved 1.0.0
Operational framework op.exp.5 Operation Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.exp.5 Operation SQL servers on machines should have vulnerability findings resolved 1.0.0
Operational framework op.exp.6 Operation Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL 1.2.0
Operational framework op.exp.6 Operation Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace 1.5.0
Operational framework op.exp.6 Operation Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace 1.7.0
Operational framework op.exp.6 Operation Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR 1.1.0
Operational framework op.exp.6 Operation Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR 1.3.0
Operational framework op.exp.6 Operation Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.exp.6 Operation Configure the Microsoft Defender for SQL Log Analytics workspace 1.4.0
Operational framework op.exp.6 Operation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Operational framework op.exp.6 Operation Windows machines should configure Windows Defender to update protection signatures within one day 1.0.1
Operational framework op.exp.6 Operation Windows machines should enable Windows Defender Real-time protection 1.0.1
Operational framework op.ext.4 External resources Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Operational framework op.ext.4 External resources Audit Linux machines that have accounts without passwords 3.1.0
Operational framework op.mon.1 System monitoring Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Operational framework op.mon.3 System monitoring Configure machines to receive a vulnerability assessment provider 4.0.0
Operational framework op.mon.3 System monitoring SQL servers on machines should have vulnerability findings resolved 1.0.0

SWIFT CSP-CSCF v2021

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Authentication to Linux machines should require SSH keys 3.2.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Windows machines should be configured to use secure communication protocols 4.1.1
Reduce Attack Surface and Vulnerabilities 2.2 Security Updates Audit Windows VMs with a pending reboot 2.0.0
Reduce Attack Surface and Vulnerabilities 2.3 System Hardening Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Reduce Attack Surface and Vulnerabilities 2.3 System Hardening Audit Windows machines that contain certificates expiring within the specified number of days 2.0.0
Reduce Attack Surface and Vulnerabilities 2.3 System Hardening Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security Authentication to Linux machines should require SSH keys 3.2.0
Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security Windows machines should be configured to use secure communication protocols 4.1.1
Reduce Attack Surface and Vulnerabilities 2.6 Operator Session Confidentiality and Integrity Windows machines should be configured to use secure communication protocols 4.1.1
Prevent Compromise of Credentials 4.1 Password Policy Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Linux machines that have accounts without passwords 3.1.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Prevent Compromise of Credentials 4.1 Password Policy Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Manage Identities and Segregate Privileges 5.4 Physical and Logical Password Storage Audit Windows machines that do not store passwords using reversible encryption 2.0.0

SWIFT CSP-CSCF v2022

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
2. Reduce Attack Surface and Vulnerabilities 2.1 Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Authentication to Linux machines should require SSH keys 3.2.0
2. Reduce Attack Surface and Vulnerabilities 2.1 Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Windows machines should be configured to use secure communication protocols 4.1.1
2. Reduce Attack Surface and Vulnerabilities 2.2 Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. Audit Windows VMs with a pending reboot 2.0.0
2. Reduce Attack Surface and Vulnerabilities 2.3 Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
2. Reduce Attack Surface and Vulnerabilities 2.3 Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Audit Windows machines that contain certificates expiring within the specified number of days 2.0.0
2. Reduce Attack Surface and Vulnerabilities 2.3 Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
2. Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security Authentication to Linux machines should require SSH keys 3.2.0
2. Reduce Attack Surface and Vulnerabilities 2.4A Back-office Data Flow Security Windows machines should be configured to use secure communication protocols 4.1.1
2. Reduce Attack Surface and Vulnerabilities 2.6 Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Windows machines should be configured to use secure communication protocols 4.1.1
2. Reduce Attack Surface and Vulnerabilities 2.6 Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Windows machines should meet requirements for 'Security Options - Interactive Logon' 3.0.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Linux machines that have accounts without passwords 3.1.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
4. Prevent Compromise of Credentials 4.1 Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
5. Manage Identities and Segregate Privileges 5.1 Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Audit Windows machines that contain certificates expiring within the specified number of days 2.0.0
5. Manage Identities and Segregate Privileges 5.4 Protect physically and logically the repository of recorded passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0

System and Organization Controls (SOC) 2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Logical and Physical Access Controls CC6.1 Logical access security software, infrastructure, and architectures Authentication to Linux machines should require SSH keys 3.2.0
Logical and Physical Access Controls CC6.1 Logical access security software, infrastructure, and architectures Windows machines should be configured to use secure communication protocols 4.1.1
Logical and Physical Access Controls CC6.6 Security measures against threats outside system boundaries Authentication to Linux machines should require SSH keys 3.2.0
Logical and Physical Access Controls CC6.6 Security measures against threats outside system boundaries Windows machines should be configured to use secure communication protocols 4.1.1
Logical and Physical Access Controls CC6.7 Restrict the movement of information to authorized users Windows machines should be configured to use secure communication protocols 4.1.1
Logical and Physical Access Controls CC6.8 Prevent or detect against unauthorized or malicious software Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Logical and Physical Access Controls CC6.8 Prevent or detect against unauthorized or malicious software Windows machines should meet requirements of the Azure compute security baseline 2.0.0
System Operations CC7.2 Monitor system components for anomalous behavior Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Change Management CC8.1 Changes to infrastructure, data, and software Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Change Management CC8.1 Changes to infrastructure, data, and software Windows machines should meet requirements of the Azure compute security baseline 2.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection Windows machines should be configured to use secure communication protocols 4.1.1
Identity and authentication 10 Identity and authentication Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Identity and authentication 10 Identity and authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identity and authentication 10 Identity and authentication Audit Linux machines that have accounts without passwords 3.1.0
Identity and authentication 10 Identity and authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0

Next steps