Azure Policy Regulatory Compliance controls for Azure Resource Manager

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Resource Manager. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for System Hardening - Operating system hardening 380 Operating system configuration - 380 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for System Hardening - Operating system hardening 380 Operating system configuration - 380 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 430 Suspension of access to systems - 430 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 430 Suspension of access to systems - 430 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 External accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 External accounts with write permissions should be removed from your subscription 3.0.0
Guidelines for Media - Media usage 947 Using media for data transfers - 947 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1173 Multi-factor authentication - 1173 MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Guidelines for System Hardening - Authentication hardening 1173 Multi-factor authentication - 1173 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 A maximum of 3 owners should be designated for your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 There should be more than one owner assigned to your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 A maximum of 3 owners should be designated for your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 There should be more than one owner assigned to your subscription 3.0.0
Guidelines for System Management - Data backup and restoration 1511 Performing backups - 1511 Audit virtual machines without disaster recovery configured 1.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-10 Ensure Domain Name System (DNS) security Azure Defender for DNS should be enabled 1.0.0
Identity Management IM-6 Use strong authentication controls Accounts with owner permissions on Azure resources should be MFA enabled 1.0.0
Identity Management IM-6 Use strong authentication controls Accounts with read permissions on Azure resources should be MFA enabled 1.0.0
Identity Management IM-6 Use strong authentication controls Accounts with write permissions on Azure resources should be MFA enabled 1.0.0
Identity Management IM-6 Use strong authentication controls MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identity Management IM-6 Use strong authentication controls MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity Management IM-6 Use strong authentication controls MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users A maximum of 3 owners should be designated for your subscription 3.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users Blocked accounts with owner permissions on Azure resources should be removed 1.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users External accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users Guest accounts with owner permissions on Azure resources should be removed 1.0.0
Privileged Access PA-1 Separate and limit highly privileged/administrative users There should be more than one owner assigned to your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly Blocked accounts with owner permissions on Azure resources should be removed 1.0.0
Privileged Access PA-4 Review and reconcile user access regularly Blocked accounts with read and write permissions on Azure resources should be removed 1.0.0
Privileged Access PA-4 Review and reconcile user access regularly Deprecated accounts should be removed from your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly External accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly External accounts with read permissions should be removed from your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly External accounts with write permissions should be removed from your subscription 3.0.0
Privileged Access PA-4 Review and reconcile user access regularly Guest accounts with owner permissions on Azure resources should be removed 1.0.0
Privileged Access PA-4 Review and reconcile user access regularly Guest accounts with read permissions on Azure resources should be removed 1.0.0
Privileged Access PA-4 Review and reconcile user access regularly Guest accounts with write permissions on Azure resources should be removed 1.0.0
Data Protection DP-2 Monitor anomalies and threats targeting sensitive data Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Data Protection DP-2 Monitor anomalies and threats targeting sensitive data Azure Defender for open-source relational databases should be enabled 1.0.0
Data Protection DP-2 Monitor anomalies and threats targeting sensitive data Azure Defender for SQL servers on machines should be enabled 1.0.2
Data Protection DP-2 Monitor anomalies and threats targeting sensitive data Azure Defender for Storage should be enabled 1.0.3
Data Protection DP-8 Ensure security of key and certificate repository Azure Defender for Key Vault should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for App Service should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for DNS should be enabled 1.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for Key Vault should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for open-source relational databases should be enabled 1.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for Resource Manager should be enabled 1.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for servers should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for SQL servers on machines should be enabled 1.0.2
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for Storage should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection capabilities Microsoft Defender CSPM should be enabled 1.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Microsoft Defender for Containers should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for App Service should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for DNS should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for Key Vault should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for open-source relational databases should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for Resource Manager should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for servers should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for SQL servers on machines should be enabled 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for Storage should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Microsoft Defender CSPM should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Microsoft Defender for Containers should be enabled 1.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Incident Response IR-2 Preparation - setup incident notification Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-2 Preparation - setup incident notification Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-2 Preparation - setup incident notification Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for DNS should be enabled 1.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for open-source relational databases should be enabled 1.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for servers should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Microsoft Defender CSPM should be enabled 1.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Microsoft Defender for Containers should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for DNS should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for open-source relational databases should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for servers should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Microsoft Defender CSPM should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Microsoft Defender for Containers should be enabled 1.0.0
Endpoint Security ES-1 Use Endpoint Detection and Response (EDR) Azure Defender for servers should be enabled 1.0.3

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Incident Response 10.4 Provide security incident contact details and configure alert notifications for security incidents Subscriptions should have a contact email address for security issues 1.0.1
Logging and Monitoring 2.2 Configure central security log management Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Logging and Monitoring 2.2 Configure central security log management Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Logging and Monitoring 2.2 Configure central security log management Azure Monitor should collect activity logs from all regions 2.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Identity and Access Control 3.1 Maintain an inventory of administrative accounts A maximum of 3 owners should be designated for your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts There should be more than one owner assigned to your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access Deprecated accounts should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with read permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with write permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts A maximum of 3 owners should be designated for your subscription 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts There should be more than one owner assigned to your subscription 3.0.0
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Data Protection 4.9 Log and alert on changes to critical Azure resources Azure Monitor should collect activity logs from all regions 2.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-5 Separation of Duties A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 Least Privilege There should be more than one owner assigned to your subscription 3.0.0
Contingency Planning CP-7 Alternative Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-2(1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification and Authentication IA-2(1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled for accounts with write permissions on your subscription 3.0.1
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Self-service group management enabled' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Self-service group management enabled' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Self-service group management enabled' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Self-service group management enabled' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Users who can manage security groups' is set to 'None' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Users who can manage security groups' is set to 'None' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Users who can manage security groups' is set to 'None' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Users who can manage security groups' is set to 'None' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Office 365 groups' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users MFA should be enabled on accounts with read permissions on your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Users who can manage Office 365 groups' is set to 'None' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Authorize remote access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Document mobility training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Document remote access guidelines 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Identify and authenticate network devices 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Implement controls to secure alternate work sites 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Provide privacy training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Satisfy token quality requirements 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure that no custom subscription owner roles are created Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users Audit user account status 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users External accounts with owner permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users External accounts with read permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users External accounts with write permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users Reassign or remove user privileges as needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users Review account provisioning logs 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users Review user accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure that there are no guest users Review user privileges 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Identify and authenticate network devices 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Satisfy token quality requirements 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Implement training for protecting authenticators 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Audit privileged functions 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Implement training for protecting authenticators 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Monitor privileged role assignment 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Restrict access to privileged accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Revoke privileged roles as appropriate 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Use privileged identity management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for App Service should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for Azure SQL Database servers should be enabled 1.0.2
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for Key Vault should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for servers should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for SQL servers on machines should be enabled 1.0.2
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Azure Defender for Storage should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Microsoft Defender for Containers should be enabled 1.0.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that standard pricing tier is selected Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Establish a data leakage management procedure 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Implement controls to secure all media 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Protect data in transit using encryption 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Protect special information 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Audit privileged functions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Audit user account status 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Determine auditable events 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Review audit data 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Establish a data leakage management procedure 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Implement controls to secure all media 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Protect data in transit using encryption 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Protect special information 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.16 Ensure that 'Security contact emails' is set Subscriptions should have a contact email address for security issues 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' Email notification for high severity alerts should be enabled 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' Email notification to subscription owner for high severity alerts should be enabled 2.0.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Document security operations 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Turn on sensors for endpoint security solution 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" Remediate information system flaws 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Remediate information system flaws 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Establish a data leakage management procedure 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Implement controls to secure all media 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Protect data in transit using encryption 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Protect special information 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Control information flow 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Employ flow control mechanisms of encrypted information 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" Control information flow 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" Employ flow control mechanisms of encrypted information 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Control information flow 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Employ flow control mechanisms of encrypted information 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Configure workstations to check for digital certificates 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Protect data in transit using encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Protect passwords with encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define a physical key management process 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define cryptographic use 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define organizational requirements for cryptographic key management 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Determine assertion requirements 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Issue public key certificates 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Manage symmetric cryptographic keys 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Restrict access to private keys 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Audit privileged functions 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Audit user account status 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Configure Azure Audit capabilities 1.1.1
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Determine auditable events 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Review audit data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Disable authenticators upon termination 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Revoke privileged roles as appropriate 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Terminate user session automatically 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that shared access signature tokens are allowed only over https Configure workstations to check for digital certificates 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that shared access signature tokens are allowed only over https Protect data in transit using encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that shared access signature tokens are allowed only over https Protect passwords with encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Authorize access to security functions and information 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Authorize and manage access 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Enforce logical access 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Enforce mandatory and discretionary access control policies 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Require approval for account creation 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.6 Ensure that 'Public access level' is set to Private for blob containers Review user groups and applications with access to sensitive data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Control information flow 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Employ flow control mechanisms of encrypted information 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Establish firewall and router configuration standards 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Establish network segmentation for card holder data environment 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Identify and manage downstream information exchanges 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1 Ensure that 'Auditing' is set to 'On' Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1 Ensure that 'Auditing' is set to 'On' Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1 Ensure that 'Auditing' is set to 'On' Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1 Ensure that 'Auditing' is set to 'On' Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Establish a data leakage management procedure 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Implement controls to secure all media 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Protect special information 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Configure workstations to check for digital certificates 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.11 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Protect passwords with encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Configure workstations to check for digital certificates 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Protect passwords with encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.14 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.15 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.16 Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Adhere to retention periods defined 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Govern and monitor audit processing activities 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Retain security policies and procedures 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.18 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Retain terminated user data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.19 Ensure that Azure Active Directory Admin is configured Automate account management 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.19 Ensure that Azure Active Directory Admin is configured Manage system and admin accounts 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.19 Ensure that Azure Active Directory Admin is configured Monitor access across the organization 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.19 Ensure that Azure Active Directory Admin is configured Notify when account is not needed 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Adhere to retention periods defined 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Govern and monitor audit processing activities 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Retain security policies and procedures 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Retain terminated user data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Perform a trend analysis on threats 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ensure that 'Threat Detection types' is set to 'All' Perform a trend analysis on threats 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.6 Ensure that 'Send alerts to' is set Alert personnel of information spillage 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.6 Ensure that 'Send alerts to' is set Develop an incident response plan 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.6 Ensure that 'Send alerts to' is set Set automated notifications for new and trending cloud applications in your organization 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.7 Ensure that 'Email service and co-administrators' is 'Enabled' Alert personnel of information spillage 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.7 Ensure that 'Email service and co-administrators' is 'Enabled' Develop an incident response plan 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.7 Ensure that 'Email service and co-administrators' is 'Enabled' Set automated notifications for new and trending cloud applications in your organization 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.8 Ensure that Azure Active Directory Admin is configured Automate account management 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.8 Ensure that Azure Active Directory Admin is configured Manage system and admin accounts 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.8 Ensure that Azure Active Directory Admin is configured Monitor access across the organization 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.8 Ensure that Azure Active Directory Admin is configured Notify when account is not needed 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Establish a data leakage management procedure 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Implement controls to secure all media 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Protect special information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a Log Profile exists Adhere to retention periods defined 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a Log Profile exists Azure subscriptions should have a log profile for Activity Log 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a Log Profile exists Govern and monitor audit processing activities 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a Log Profile exists Retain security policies and procedures 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a Log Profile exists Retain terminated user data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure that Activity Log Retention is set 365 days or greater Activity log should be retained for at least one year 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure that Activity Log Retention is set 365 days or greater Adhere to retention periods defined 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure that Activity Log Retention is set 365 days or greater Retain security policies and procedures 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure that Activity Log Retention is set 365 days or greater Retain terminated user data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure audit profile captures all the activities Adhere to retention periods defined 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure audit profile captures all the activities Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure audit profile captures all the activities Govern and monitor audit processing activities 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure audit profile captures all the activities Retain security policies and procedures 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure audit profile captures all the activities Retain terminated user data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the log profile captures activity logs for all regions including global Adhere to retention periods defined 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the log profile captures activity logs for all regions including global Azure Monitor should collect activity logs from all regions 2.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the log profile captures activity logs for all regions including global Govern and monitor audit processing activities 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the log profile captures activity logs for all regions including global Retain security policies and procedures 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the log profile captures activity logs for all regions including global Retain terminated user data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible Enable dual or joint authorization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure the storage container storing the activity logs is not publicly accessible Protect audit information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Enable dual or joint authorization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Maintain integrity of audit system 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Protect audit information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' Audit privileged functions 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' Audit user account status 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' Determine auditable events 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' Review audit data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution An activity log alert should exist for specific Security operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution An activity log alert should exist for specific Security operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy An activity log alert should exist for specific Security operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy Set automated notifications for new and trending cloud applications in your organization 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Control information flow 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Employ flow control mechanisms of encrypted information 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Adhere to retention periods defined 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Retain security policies and procedures 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Retain terminated user data 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.5 Ensure that Network Watcher is 'Enabled' Verify security functions 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure that 'OS disk' are encrypted Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure that 'OS disk' are encrypted Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure that 'OS disk' are encrypted Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure that 'OS disk' are encrypted Protect special information 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'Data disks' are encrypted Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'Data disks' are encrypted Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'Data disks' are encrypted Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'Data disks' are encrypted Protect special information 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted Protect special information 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied Remediate information system flaws 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Block untrusted and unsigned processes that run from USB 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Document security operations 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Manage gateways 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Perform a trend analysis on threats 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Perform vulnerability scans 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Review malware detections report weekly 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Review threat protection status weekly 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Turn on sensors for endpoint security solution 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Update antivirus definitions 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Verify software, firmware and information integrity 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define a physical key management process 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define cryptographic use 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define organizational requirements for cryptographic key management 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Determine assertion requirements 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Issue public key certificates 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Manage symmetric cryptographic keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Restrict access to private keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define a physical key management process 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define cryptographic use 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define organizational requirements for cryptographic key management 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Determine assertion requirements 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Issue public key certificates 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Manage symmetric cryptographic keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Restrict access to private keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.3 Ensure that Resource Locks are set for mission critical Azure resources Establish and document change control processes 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.4 Ensure the key vault is recoverable Maintain availability of information 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Authorize access to security functions and information 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Authorize and manage access 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Enforce logical access 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Enforce mandatory and discretionary access control policies 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Require approval for account creation 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Review user groups and applications with access to sensitive data 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Authenticate to cryptographic module 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Enforce user uniqueness 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Support personal verification credentials issued by legal authorities 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure that 'HTTP Version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Configure workstations to check for digital certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Protect data in transit using encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Protect passwords with encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Configure workstations to check for digital certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Protect data in transit using encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Protect passwords with encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Authenticate to cryptographic module 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Automate account management 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Manage system and admin accounts 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Monitor access across the organization 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Notify when account is not needed 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.6 Ensure that '.Net Framework' version is the latest, if used as a part of the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ensure that 'PHP version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Python version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'Java version' is the latest, if used to run the web app Remediate information system flaws 1.1.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled for accounts with write permissions on your subscription 3.0.1
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.11 Ensure that 'Users can register applications' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.13 Ensure that 'Members can invite' is set to 'No' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.14 Ensure that 'Guests can invite' is set to 'No' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Enforce logical access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Require approval for account creation 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Review user groups and applications with access to sensitive data 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users MFA should be enabled on accounts with read permissions on your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Authorize remote access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Document mobility training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Document remote access guidelines 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Identify and authenticate network devices 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Implement controls to secure alternate work sites 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Provide privacy training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Satisfy token quality requirements 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Design an access control model 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Employ least privilege access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.21 Ensure that no custom subscription owner roles are created Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Authenticate to cryptographic module 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Authorize remote access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Document mobility training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Document remote access guidelines 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Identify and authenticate network devices 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Implement controls to secure alternate work sites 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Provide privacy training 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.22 Ensure Security Defaults is enabled on Azure Active Directory Satisfy token quality requirements 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure Custom Role is assigned for Administering Resource Locks Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure Custom Role is assigned for Administering Resource Locks Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure Custom Role is assigned for Administering Resource Locks Enforce mandatory and discretionary access control policies 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.23 Ensure Custom Role is assigned for Administering Resource Locks Establish and document change control processes 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis Audit user account status 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis External accounts with owner permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis External accounts with read permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis External accounts with write permissions should be removed from your subscription 3.0.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis Reassign or remove user privileges as needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis Review account provisioning logs 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis Review user accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.3 Ensure guest users are reviewed on a monthly basis Review user privileges 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Adopt biometric authentication mechanisms 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Identify and authenticate network devices 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Satisfy token quality requirements 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Implement training for protecting authenticators 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Audit privileged functions 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Automate account management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Implement training for protecting authenticators 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Manage system and admin accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Monitor access across the organization 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Monitor privileged role assignment 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Notify when account is not needed 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Restrict access to privileged accounts 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Revoke privileged roles as appropriate 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Use privileged identity management 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Authorize access to security functions and information 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Authorize and manage access 1.1.0
1 Identity and Access Management CIS Microsoft Azure Foundations Benchmark recommendation 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Enforce mandatory and discretionary access control policies 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Azure Defender for servers should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.1 Ensure that Azure Defender is set to On for Servers Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Document security operations 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Turn on sensors for endpoint security solution 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Configure actions for noncompliant devices 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Develop and maintain baseline configurations 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Enforce security configuration settings 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Establish a configuration control board 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Establish and document a configuration management plan 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled" Implement an automated configuration management tool 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.13 Ensure 'Additional email addresses' is configured with a security contact email Subscriptions should have a contact email address for security issues 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' Email notification for high severity alerts should be enabled 1.0.1
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Azure Defender for App Service should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.2 Ensure that Azure Defender is set to On for App Service Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Azure Defender for Azure SQL Database servers should be enabled 1.0.2
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Azure Defender for SQL servers on machines should be enabled 1.0.2
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Azure Defender for Storage should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure that Azure Defender is set to On for Storage Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Microsoft Defender for Containers should be enabled 1.0.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure that Azure Defender is set to On for Kubernetes Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Microsoft Defender for Containers should be enabled 1.0.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure that Azure Defender is set to On for Container Registries Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Azure Defender for Key Vault should be enabled 1.0.3
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.8 Ensure that Azure Defender is set to On for Key Vault Update antivirus definitions 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Block untrusted and unsigned processes that run from USB 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Detect network services that have not been authorized or approved 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Manage gateways 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Perform a trend analysis on threats 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Perform vulnerability scans 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Review malware detections report weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Review threat protection status weekly 1.1.0
2 Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Update antivirus definitions 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Configure workstations to check for digital certificates 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Protect data in transit using encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' Protect passwords with encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests Audit privileged functions 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests Audit user account status 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests Configure Azure Audit capabilities 1.1.1
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests Determine auditable events 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests Review audit data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests Audit privileged functions 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests Audit user account status 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests Configure Azure Audit capabilities 1.1.1
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests Determine auditable events 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests Review audit data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define a physical key management process 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define cryptographic use 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Define organizational requirements for cryptographic key management 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Determine assertion requirements 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Issue public key certificates 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Manage symmetric cryptographic keys 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.2 Ensure that storage account access keys are periodically regenerated Restrict access to private keys 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Audit privileged functions 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Audit user account status 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Configure Azure Audit capabilities 1.1.1
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Determine auditable events 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests Review audit data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Disable authenticators upon termination 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Revoke privileged roles as appropriate 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.4 Ensure that shared access signature tokens expire within an hour Terminate user session automatically 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Authorize access to security functions and information 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Authorize and manage access 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Enforce logical access 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Enforce mandatory and discretionary access control policies 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Require approval for account creation 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.5 Ensure that 'Public access level' is set to Private for blob containers Review user groups and applications with access to sensitive data 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Control information flow 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Employ flow control mechanisms of encrypted information 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Establish firewall and router configuration standards 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Establish network segmentation for card holder data environment 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Identify and manage downstream information exchanges 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ensure storage for critical data are encrypted with Customer Managed Key Establish a data leakage management procedure 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ensure storage for critical data are encrypted with Customer Managed Key Implement controls to secure all media 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ensure storage for critical data are encrypted with Customer Managed Key Protect data in transit using encryption 1.1.0
3 Storage Accounts CIS Microsoft Azure Foundations Benchmark recommendation 3.9 Ensure storage for critical data are encrypted with Customer Managed Key Protect special information 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ensure that 'Auditing' is set to 'On' Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ensure that 'Auditing' is set to 'On' Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ensure that 'Auditing' is set to 'On' Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 Ensure that 'Auditing' is set to 'On' Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Establish a data leakage management procedure 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Implement controls to secure all media 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Protect special information 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Adhere to retention periods defined 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Govern and monitor audit processing activities 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Retain security policies and procedures 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' Retain terminated user data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Perform a trend analysis on threats 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Perform vulnerability scans 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Remediate information system flaws 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server Perform vulnerability scans 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server Remediate information system flaws 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server Correlate Vulnerability scan information 1.1.1
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server Perform vulnerability scans 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server Remediate information system flaws 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server Correlate Vulnerability scan information 1.1.1
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server Perform vulnerability scans 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server Remediate information system flaws 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Configure workstations to check for digital certificates 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Protect passwords with encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Configure workstations to check for digital certificates 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Protect passwords with encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Audit privileged functions 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Audit user account status 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Determine auditable events 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Review audit data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Adhere to retention periods defined 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Govern and monitor audit processing activities 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Retain security policies and procedures 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Retain terminated user data 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Control information flow 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Employ flow control mechanisms of encrypted information 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Establish firewall and router configuration standards 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Establish network segmentation for card holder data environment 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Identify and manage downstream information exchanges 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ensure that Azure Active Directory Admin is configured Automate account management 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ensure that Azure Active Directory Admin is configured Manage system and admin accounts 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ensure that Azure Active Directory Admin is configured Monitor access across the organization 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.4 Ensure that Azure Active Directory Admin is configured Notify when account is not needed 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key Establish a data leakage management procedure 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key Implement controls to secure all media 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key Protect data in transit using encryption 1.1.0
4 Database Services CIS Microsoft Azure Foundations Benchmark recommendation 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key Protect special information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 Ensure that a 'Diagnostics Setting' exists Determine auditable events 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure Diagnostic Setting captures appropriate categories Audit privileged functions 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure Diagnostic Setting captures appropriate categories Audit user account status 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure Diagnostic Setting captures appropriate categories Configure Azure Audit capabilities 1.1.1
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure Diagnostic Setting captures appropriate categories Determine auditable events 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 Ensure Diagnostic Setting captures appropriate categories Review audit data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible Enable dual or joint authorization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible Protect audit information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Enable dual or joint authorization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Maintain integrity of audit system 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Protect audit information 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' Audit privileged functions 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' Audit user account status 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' Determine auditable events 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' Review audit data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution An activity log alert should exist for specific Security operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution An activity log alert should exist for specific Security operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Alert personnel of information spillage 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Develop an incident response plan 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Set automated notifications for new and trending cloud applications in your organization 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Adhere to retention periods defined 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Audit privileged functions 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Audit user account status 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Configure Azure Audit capabilities 1.1.1
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Determine auditable events 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Govern and monitor audit processing activities 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Retain security policies and procedures 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Retain terminated user data 1.1.0
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Review audit data 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Control information flow 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Employ flow control mechanisms of encrypted information 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Adhere to retention periods defined 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Retain security policies and procedures 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Retain terminated user data 1.1.0
6 Networking CIS Microsoft Azure Foundations Benchmark recommendation 6.5 Ensure that Network Watcher is 'Enabled' Verify security functions 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure Virtual Machines are utilizing Managed Disks Control physical access 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure Virtual Machines are utilizing Managed Disks Manage the input, output, processing, and storage of data 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure Virtual Machines are utilizing Managed Disks Review label activity and analytics 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Protect special information 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted with CMK Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted with CMK Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted with CMK Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.3 Ensure that 'Unattached disks' are encrypted with CMK Protect special information 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied Remediate information system flaws 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Block untrusted and unsigned processes that run from USB 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Document security operations 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Manage gateways 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Perform a trend analysis on threats 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Perform vulnerability scans 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Review malware detections report weekly 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Review threat protection status weekly 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Turn on sensors for endpoint security solution 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Update antivirus definitions 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Verify software, firmware and information integrity 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ensure that VHD's are encrypted Establish a data leakage management procedure 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ensure that VHD's are encrypted Implement controls to secure all media 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ensure that VHD's are encrypted Protect data in transit using encryption 1.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.7 Ensure that VHD's are encrypted Protect special information 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define a physical key management process 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define cryptographic use 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Define organizational requirements for cryptographic key management 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Determine assertion requirements 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Issue public key certificates 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Manage symmetric cryptographic keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.1 Ensure that the expiration date is set on all keys Restrict access to private keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define a physical key management process 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define cryptographic use 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Define organizational requirements for cryptographic key management 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Determine assertion requirements 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Issue public key certificates 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Manage symmetric cryptographic keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.2 Ensure that the expiration date is set on all Secrets Restrict access to private keys 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.3 Ensure that Resource Locks are set for mission critical Azure resources Establish and document change control processes 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.4 Ensure the key vault is recoverable Maintain availability of information 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Authorize access to security functions and information 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Authorize and manage access 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Enforce logical access 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Enforce mandatory and discretionary access control policies 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Require approval for account creation 1.1.0
8 Other Security Considerations CIS Microsoft Azure Foundations Benchmark recommendation 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services Review user groups and applications with access to sensitive data 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Authenticate to cryptographic module 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Enforce user uniqueness 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.1 Ensure App Service Authentication is set on Azure App Service Support personal verification credentials issued by legal authorities 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure FTP deployments are disabled Configure workstations to check for digital certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure FTP deployments are disabled Protect data in transit using encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.10 Ensure FTP deployments are disabled Protect passwords with encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Define a physical key management process 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Define cryptographic use 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Define organizational requirements for cryptographic key management 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Determine assertion requirements 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Ensure cryptographic mechanisms are under configuration management 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Issue public key certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Maintain availability of information 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Manage symmetric cryptographic keys 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.11 Ensure Azure Keyvaults are used to store secrets Restrict access to private keys 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Configure workstations to check for digital certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Protect data in transit using encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Protect passwords with encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Configure workstations to check for digital certificates 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Protect data in transit using encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.3 Ensure web app is using the latest version of TLS encryption Protect passwords with encryption 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Authenticate to cryptographic module 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Automate account management 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Manage system and admin accounts 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Monitor access across the organization 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.5 Ensure that Register with Azure Active Directory is enabled on App Service Notify when account is not needed 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.6 Ensure that 'PHP version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.7 Ensure that 'Python version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.8 Ensure that 'Java version' is the latest, if used to run the web app Remediate information system flaws 1.1.0
9 AppService CIS Microsoft Azure Foundations Benchmark recommendation 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app Remediate information system flaws 1.1.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. There should be more than one owner assigned to your subscription 3.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Policy operations 3.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Monitor should collect activity logs from all regions 2.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure subscriptions should have a log profile for Activity Log 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Activity log should be retained for at least one year 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Policy operations 3.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Monitor should collect activity logs from all regions 2.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure subscriptions should have a log profile for Activity Log 1.0.0
Audit and Accountability AU.3.049 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. An activity log alert should exist for specific Policy operations 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. An activity log alert should exist for specific Security operations 1.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. An activity log alert should exist for specific Security operations 1.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. An activity log alert should exist for specific Policy operations 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Policy operations 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Security operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Azure Monitor should collect activity logs from all regions 2.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Azure subscriptions should have a log profile for Activity Log 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR.2.093 Detect and report events. An activity log alert should exist for specific Security operations 1.0.0
Incident Response IR.2.093 Detect and report events. Azure Defender for App Service should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR.2.093 Detect and report events. Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for servers should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR.2.093 Detect and report events. Azure Defender for Storage should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR.2.093 Detect and report events. Microsoft Defender for Containers should be enabled 1.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Audit virtual machines without disaster recovery configured 1.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Microsoft Defender for Containers should be enabled 1.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Microsoft Defender for Containers should be enabled 1.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Microsoft Defender for Containers should be enabled 1.0.0
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for App Service should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Key Vault should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for servers should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Storage should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Microsoft Defender for Containers should be enabled 1.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. A maximum of 3 owners should be designated for your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. External accounts with owner permissions should be removed from your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. There should be more than one owner assigned to your subscription 3.0.0
System and Communications Protection SC.3.187 Establish and manage cryptographic keys for cryptography employed in organizational systems. Azure Defender for Key Vault should be enabled 1.0.3
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled for accounts with write permissions on your subscription 3.0.1
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft Defender for Containers should be enabled 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Policy operations 3.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Security operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Monitor should collect activity logs from all regions 2.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure subscriptions should have a log profile for Activity Log 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Email notification to subscription owner for high severity alerts should be enabled 2.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Microsoft Defender for Containers should be enabled 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Subscriptions should have a contact email address for security issues 1.0.1
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Activity log should be retained for at least one year 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Policy operations 3.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Security operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Monitor should collect activity logs from all regions 2.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure subscriptions should have a log profile for Activity Log 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Email notification to subscription owner for high severity alerts should be enabled 2.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-1 Access Control Policy And Procedures Develop access control policies and procedures 1.1.0
Access Control AC-1 Access Control Policy And Procedures Enforce mandatory and discretionary access control policies 1.1.0
Access Control AC-1 Access Control Policy And Procedures Govern policies and procedures 1.1.0
Access Control AC-1 Access Control Policy And Procedures Review access control policies and procedures 1.1.0
Access Control AC-2 Account Management A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-2 Account Management Assign account managers 1.1.0
Access Control AC-2 Account Management Audit user account status 1.1.0
Access Control AC-2 Account Management Define and enforce conditions for shared and group accounts 1.1.0
Access Control AC-2 Account Management Define information system account types 1.1.0
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Document access privileges 1.1.0
Access Control AC-2 Account Management Establish conditions for role membership 1.1.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Monitor account activity 1.1.0
Access Control AC-2 Account Management Notify Account Managers of customer controlled accounts 1.1.0
Access Control AC-2 Account Management Reissue authenticators for changed groups and accounts 1.1.0
Access Control AC-2 Account Management Require approval for account creation 1.1.0
Access Control AC-2 Account Management Restrict access to privileged accounts 1.1.0
Access Control AC-2 Account Management Review account provisioning logs 1.1.0
Access Control AC-2 Account Management Review user accounts 1.1.0
Access Control AC-2 (1) Automated System Account Management Automate account management 1.1.0
Access Control AC-2 (1) Automated System Account Management Manage system and admin accounts 1.1.0
Access Control AC-2 (1) Automated System Account Management Monitor access across the organization 1.1.0
Access Control AC-2 (1) Automated System Account Management Notify when account is not needed 1.1.0
Access Control AC-2 (3) Disable Inactive Accounts Disable authenticators upon termination 1.1.0
Access Control AC-2 (3) Disable Inactive Accounts Revoke privileged roles as appropriate 1.1.0
Access Control AC-2 (4) Automated Audit Actions Audit user account status 1.1.0
Access Control AC-2 (4) Automated Audit Actions Automate account management 1.1.0
Access Control AC-2 (4) Automated Audit Actions Manage system and admin accounts 1.1.0
Access Control AC-2 (4) Automated Audit Actions Monitor access across the organization 1.1.0
Access Control AC-2 (4) Automated Audit Actions Notify when account is not needed 1.1.0
Access Control AC-2 (5) Inactivity Logout Define and enforce inactivity log policy 1.1.0
Access Control AC-2 (7) Role-Based Schemes Audit privileged functions 1.1.0
Access Control AC-2 (7) Role-Based Schemes Monitor account activity 1.1.0
Access Control AC-2 (7) Role-Based Schemes Monitor privileged role assignment 1.1.0
Access Control AC-2 (7) Role-Based Schemes Restrict access to privileged accounts 1.1.0
Access Control AC-2 (7) Role-Based Schemes Revoke privileged roles as appropriate 1.1.0
Access Control AC-2 (7) Role-Based Schemes Use privileged identity management 1.1.0
Access Control AC-2 (9) Restrictions On Use Of Shared Groups / Accounts Define and enforce conditions for shared and group accounts 1.1.0
Access Control AC-2 (10) Shared / Group Account Credential Termination Terminate customer controlled account credentials 1.1.0
Access Control AC-2 (11) Usage Conditions Enforce appropriate usage of all accounts 1.1.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for App Service should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for DNS should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Key Vault should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Resource Manager should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for servers should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL servers on machines should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Storage should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Microsoft Defender for Containers should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Monitor account activity 1.1.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Report atypical behavior of user accounts 1.1.0
Access Control AC-2 (13) Disable Accounts For High-Risk Individuals Disable user accounts posing a significant risk 1.1.0
Access Control AC-3 Access Enforcement Authorize access to security functions and information 1.1.0
Access Control AC-3 Access Enforcement Authorize and manage access 1.1.0
Access Control AC-3 Access Enforcement Enforce logical access 1.1.0
Access Control AC-3 Access Enforcement Enforce mandatory and discretionary access control policies 1.1.0
Access Control AC-3 Access Enforcement MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement Require approval for account creation 1.1.0
Access Control AC-3 Access Enforcement Review user groups and applications with access to sensitive data 1.1.0
Access Control AC-4 Information Flow Enforcement Control information flow 1.1.0
Access Control AC-4 Information Flow Enforcement Employ flow control mechanisms of encrypted information 1.1.0
Access Control AC-4 (8) Security Policy Filters Information flow control using security policy filters 1.1.0
Access Control AC-4 (21) Physical / Logical Separation Of Information Flows Control information flow 1.1.0
Access Control AC-4 (21) Physical / Logical Separation Of Information Flows Establish firewall and router configuration standards 1.1.0
Access Control AC-4 (21) Physical / Logical Separation Of Information Flows Establish network segmentation for card holder data environment 1.1.0
Access Control AC-4 (21) Physical / Logical Separation Of Information Flows Identify and manage downstream information exchanges 1.1.0
Access Control AC-5 Separation Of Duties Define access authorizations to support separation of duties 1.1.0
Access Control AC-5 Separation Of Duties Document separation of duties 1.1.0
Access Control AC-5 Separation Of Duties Separate duties of individuals 1.1.0
Access Control AC-5 Separation Of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 Least Privilege Design an access control model 1.1.0
Access Control AC-6 Least Privilege Employ least privilege access 1.1.0
Access Control AC-6 (1) Authorize Access To Security Functions Authorize access to security functions and information 1.1.0
Access Control AC-6 (1) Authorize Access To Security Functions Authorize and manage access 1.1.0
Access Control AC-6 (1) Authorize Access To Security Functions Enforce mandatory and discretionary access control policies 1.1.0
Access Control AC-6 (5) Privileged Accounts Restrict access to privileged accounts 1.1.0
Access Control AC-6 (7) Review Of User Privileges A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 (7) Review Of User Privileges Reassign or remove user privileges as needed 1.1.0
Access Control AC-6 (7) Review Of User Privileges Review user privileges 1.1.0
Access Control AC-6 (8) Privilege Levels For Code Execution Enforce software execution privileges 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Audit privileged functions 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Conduct a full text analysis of logged privileged commands 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Monitor privileged role assignment 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Restrict access to privileged accounts 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Revoke privileged roles as appropriate 1.1.0
Access Control AC-6 (9) Auditing Use Of Privileged Functions Use privileged identity management 1.1.0
Access Control AC-7 Unsuccessful Logon Attempts Enforce a limit of consecutive failed login attempts 1.1.0
Access Control AC-10 Concurrent Session Control Define and enforce the limit of concurrent sessions 1.1.0
Access Control AC-12 Session Termination Terminate user session automatically 1.1.0
Access Control AC-12 (1) User-Initiated Logouts / Message Displays Display an explicit logout message 1.1.0
Access Control AC-12 (1) User-Initiated Logouts / Message Displays Provide the logout capability 1.1.0
Access Control AC-14 Permitted Actions Without Identification Or
Authentication Identify actions allowed without authentication 1.1.0
Access Control AC-17 Remote Access Authorize remote access 1.1.0
Access Control AC-17 Remote Access Document mobility training 1.1.0
Access Control AC-17 Remote Access Document remote access guidelines 1.1.0
Access Control AC-17 Remote Access Implement controls to secure alternate work sites 1.1.0
Access Control AC-17 Remote Access Provide privacy training 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Monitor access across the organization 1.1.0
Access Control AC-17 (2) Protection Of Confidentiality / Integrity Using Encryption Notify users of system logon or access 1.1.0
Access Control AC-17 (2) Protection Of Confidentiality / Integrity Using Encryption Protect data in transit using encryption 1.1.0
Access Control AC-17 (3) Managed Access Control Points Route traffic through managed network access points 1.1.0
Access Control AC-17 (4) Privileged Commands / Access Authorize remote access 1.1.0
Access Control AC-17 (4) Privileged Commands / Access Authorize remote access to privileged commands 1.1.0
Access Control AC-17 (4) Privileged Commands / Access Document remote access guidelines 1.1.0
Access Control AC-17 (4) Privileged Commands / Access Implement controls to secure alternate work sites 1.1.0
Access Control AC-17 (4) Privileged Commands / Access Provide privacy training 1.1.0
Access Control AC-17 (9) Disconnect / Disable Access Provide capability to disconnect or disable remote access 1.1.0
Access Control AC-18 Wireless Access Document and implement wireless access guidelines 1.1.0
Access Control AC-18 Wireless Access Protect wireless access 1.1.0
Access Control AC-18 (1) Authentication And Encryption Document and implement wireless access guidelines 1.1.0
Access Control AC-18 (1) Authentication And Encryption Identify and authenticate network devices 1.1.0
Access Control AC-18 (1) Authentication And Encryption Protect wireless access 1.1.0
Access Control AC-19 Access Control For Mobile Devices Define mobile device requirements 1.1.0
Access Control AC-19 (5) Full Device / Container-Based Encryption Define mobile device requirements 1.1.0
Access Control AC-19 (5) Full Device / Container-Based Encryption Protect data in transit using encryption 1.1.0
Access Control AC-20 Use Of External Information Systems Establish terms and conditions for accessing resources 1.1.0
Access Control AC-20 Use Of External Information Systems Establish terms and conditions for processing resources 1.1.0
Access Control AC-20 (1) Limits On Authorized Use Verify security controls for external information systems 1.1.0
Access Control AC-20 (2) Portable Storage Devices Block untrusted and unsigned processes that run from USB 1.1.0
Access Control AC-20 (2) Portable Storage Devices Control use of portable storage devices 1.1.0
Access Control AC-20 (2) Portable Storage Devices Implement controls to secure all media 1.1.0
Access Control AC-21 Information Sharing Automate information sharing decisions 1.1.0
Access Control AC-21 Information Sharing Facilitate information sharing 1.1.0
Access Control AC-22 Publicly Accessible Content Designate authorized personnel to post publicly accessible information 1.1.0
Access Control AC-22 Publicly Accessible Content Review content prior to posting publicly accessible information 1.1.0
Access Control AC-22 Publicly Accessible Content Review publicly accessible content for nonpublic information 1.1.0
Access Control AC-22 Publicly Accessible Content Train personnel on disclosure of nonpublic information 1.1.0
Awareness And Training AT-1 Security Awareness And Training Policy Andprocedures Document security and privacy training activities 1.1.0
Awareness And Training AT-1 Security Awareness And Training Policy Andprocedures Update information security policies 1.1.0
Awareness And Training AT-2 Security Awareness Training Provide periodic security awareness training 1.1.0
Awareness And Training AT-2 Security Awareness Training Provide security training for new users 1.1.0
Awareness And Training AT-2 Security Awareness Training Provide updated security awareness training 1.1.0
Awareness And Training AT-2 (2) Insider Threat Provide security awareness training for insider threats 1.1.0
Awareness And Training AT-3 Role-Based Security Training Provide periodic role-based security training 1.1.0
Awareness And Training AT-3 Role-Based Security Training Provide role-based security training 1.1.0
Awareness And Training AT-3 Role-Based Security Training Provide security training before providing access 1.1.0
Awareness And Training AT-3 (3) Practical Exercises Provide role-based practical exercises 1.1.0
Awareness And Training AT-3 (4) Suspicious Communications And Anomalous System Behavior Provide role-based training on suspicious activities 1.1.0
Awareness And Training AT-4 Security Training Records Document security and privacy training activities 1.1.0
Awareness And Training AT-4 Security Training Records Monitor security and privacy training completion 1.1.0
Awareness And Training AT-4 Security Training Records Retain training records 1.1.0
Audit And Accountability AU-1 Audit And Accountability Policy And
Procedures Develop audit and accountability policies and procedures 1.1.0
Audit And Accountability AU-1 Audit And Accountability Policy And
Procedures Develop information security policies and procedures 1.1.0
Audit And Accountability AU-1 Audit And Accountability Policy And
Procedures Govern policies and procedures 1.1.0
Audit And Accountability AU-1 Audit And Accountability Policy And
Procedures Update information security policies 1.1.0
Audit And Accountability AU-2 Audit Events Determine auditable events 1.1.0
Audit And Accountability AU-2 (3) Reviews And Updates Review and update the events defined in AU-02 1.1.0
Audit And Accountability AU-3 Content Of Audit Records Determine auditable events 1.1.0
Audit And Accountability AU-3 (1) Additional Audit Information Configure Azure Audit capabilities 1.1.1
Audit And Accountability AU-4 Audit Storage Capacity Govern and monitor audit processing activities 1.1.0
Audit And Accountability AU-5 Response To Audit Processing Failures Govern and monitor audit processing activities 1.1.0
Audit And Accountability AU-5 (2) Real-Time Alerts Provide real-time alerts for audit event failures 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for App Service should be enabled 1.0.3
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for DNS should be enabled 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for Key Vault should be enabled 1.0.3
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for Resource Manager should be enabled 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for servers should be enabled 1.0.3
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for Storage should be enabled 1.0.3
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Correlate audit records 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Establish requirements for audit review and reporting 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Integrate audit review, analysis, and reporting 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Integrate cloud app security with a siem 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Microsoft Defender for Containers should be enabled 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review account provisioning logs 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review administrator assignments weekly 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review audit data 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review cloud identity report overview 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review controlled folder access events 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review file and folder activity 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Review role group changes weekly 1.1.0
Audit And Accountability AU-6 (1) Process Integration Correlate audit records 1.1.0
Audit And Accountability AU-6 (1) Process Integration Establish requirements for audit review and reporting 1.1.0
Audit And Accountability AU-6 (1) Process Integration Integrate audit review, analysis, and reporting 1.1.0
Audit And Accountability AU-6 (1) Process Integration Integrate cloud app security with a siem 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review account provisioning logs 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review administrator assignments weekly 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review audit data 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review cloud identity report overview 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review controlled folder access events 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review file and folder activity 1.1.0
Audit And Accountability AU-6 (1) Process Integration Review role group changes weekly 1.1.0
Audit And Accountability AU-6 (3) Correlate Audit Repositories Correlate audit records 1.1.0
Audit And Accountability AU-6 (3) Correlate Audit Repositories Integrate cloud app security with a siem 1.1.0
Audit And Accountability AU-6 (4) Central Review And Analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for App Service should be enabled 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for DNS should be enabled 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for Key Vault should be enabled 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for Resource Manager should be enabled 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for servers should be enabled 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for Storage should be enabled 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Microsoft Defender for Containers should be enabled 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for App Service should be enabled 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for DNS should be enabled 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for Key Vault should be enabled 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for Resource Manager should be enabled 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for servers should be enabled 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for Storage should be enabled 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Integrate Audit record analysis 1.1.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Microsoft Defender for Containers should be enabled 1.0.0
Audit And Accountability AU-6 (7) Permitted Actions Specify permitted actions associated with customer audit information 1.1.0
Audit And Accountability AU-6 (10) Audit Level Adjustment Adjust level of audit review, analysis, and reporting 1.1.0
Audit And Accountability AU-7 Audit Reduction And Report Generation Ensure audit records are not altered 1.1.0
Audit And Accountability AU-7 Audit Reduction And Report Generation Provide audit review, analysis, and reporting capability 1.1.0
Audit And Accountability AU-7 (1) Automatic Processing Provide capability to process customer-controlled audit records 1.1.0
Audit And Accountability AU-8 Time Stamps Use system clocks for audit records 1.1.0
Audit And Accountability AU-8 (1) Synchronization With Authoritative Time Source Use system clocks for audit records 1.1.0
Audit And Accountability AU-9 Protection Of Audit Information Enable dual or joint authorization 1.1.0
Audit And Accountability AU-9 Protection Of Audit Information Protect audit information 1.1.0
Audit And Accountability AU-9 (2) Audit Backup On Separate Physical Systems / Components Establish backup policies and procedures 1.1.0
Audit And Accountability AU-9 (3) Cryptographic Protection Maintain integrity of audit system 1.1.0
Audit And Accountability AU-9 (4) Access By Subset Of Privileged Users Protect audit information 1.1.0
Audit And Accountability AU-10 Non-Repudiation Establish electronic signature and certificate requirements 1.1.0
Audit And Accountability AU-11 Audit Record Retention Adhere to retention periods defined 1.1.0
Audit And Accountability AU-11 Audit Record Retention Retain security policies and procedures 1.1.0
Audit And Accountability AU-11 Audit Record Retention Retain terminated user data 1.1.0
Audit And Accountability AU-12 Audit Generation Audit privileged functions 1.1.0
Audit And Accountability AU-12 Audit Generation Audit user account status 1.1.0
Audit And Accountability AU-12 Audit Generation Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit And Accountability AU-12 Audit Generation Azure Defender for App Service should be enabled 1.0.3
Audit And Accountability AU-12 Audit Generation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit And Accountability AU-12 Audit Generation Azure Defender for DNS should be enabled 1.0.0
Audit And Accountability AU-12 Audit Generation Azure Defender for Key Vault should be enabled 1.0.3
Audit And Accountability AU-12 Audit Generation Azure Defender for Resource Manager should be enabled 1.0.0
Audit And Accountability AU-12 Audit Generation Azure Defender for servers should be enabled 1.0.3
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit And Accountability AU-12 Audit Generation Azure Defender for Storage should be enabled 1.0.3
Audit And Accountability AU-12 Audit Generation Determine auditable events 1.1.0
Audit And Accountability AU-12 Audit Generation Microsoft Defender for Containers should be enabled 1.0.0
Audit And Accountability AU-12 Audit Generation Review audit data 1.1.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for App Service should be enabled 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for DNS should be enabled 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for Key Vault should be enabled 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for Resource Manager should be enabled 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for servers should be enabled 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for Storage should be enabled 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Compile Audit records into system wide audit 1.1.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Microsoft Defender for Containers should be enabled 1.0.0
Audit And Accountability AU-12 (3) Changes By Authorized Individuals Provide the capability to extend or limit auditing on customer-deployed resources 1.1.0
Security Assessment And Authorization CA-1 Security Assessment And Authorization
Policy And Procedures Review security assessment and authorization policies and procedures 1.1.0
Security Assessment And Authorization CA-2 Security Assessments Assess Security Controls 1.1.0
Security Assessment And Authorization CA-2 Security Assessments Deliver security assessment results 1.1.0
Security Assessment And Authorization CA-2 Security Assessments Develop security assessment plan 1.1.0
Security Assessment And Authorization CA-2 Security Assessments Produce Security Assessment report 1.1.0
Security Assessment And Authorization CA-2 (1) Independent Assessors Employ independent assessors to conduct security control assessments 1.1.0
Security Assessment And Authorization CA-2 (2) Specialized Assessments Select additional testing for security control assessments 1.1.0
Security Assessment And Authorization CA-2 (3) External Organizations Accept assessment results 1.1.0
Security Assessment And Authorization CA-3 System Interconnections Require interconnection security agreements 1.1.0
Security Assessment And Authorization CA-3 System Interconnections Update interconnection security agreements 1.1.0
Security Assessment And Authorization CA-3 (3) Unclassified Non-National Security System Connections Implement system boundary protection 1.1.0
Security Assessment And Authorization CA-3 (5) Restrictions On External System Connections Employ restrictions on external system interconnections 1.1.0
Security Assessment And Authorization CA-5 Plan Of Action And Milestones Develop POA&M 1.1.0
Security Assessment And Authorization CA-5 Plan Of Action And Milestones Update POA&M items 1.1.0
Security Assessment And Authorization CA-6 Security Authorization Assign an authorizing official (AO) 1.1.0
Security Assessment And Authorization CA-6 Security Authorization Ensure resources are authorized 1.1.0
Security Assessment And Authorization CA-6 Security Authorization Update the security authorization 1.1.0
Security Assessment And Authorization CA-7 Continuous Monitoring Configure detection allowlist 1.1.0
Security Assessment And Authorization CA-7 Continuous Monitoring Turn on sensors for endpoint security solution 1.1.0
Security Assessment And Authorization CA-7 Continuous Monitoring Undergo independent security review 1.1.0
Security Assessment And Authorization CA-7 (1) Independent Assessment Employ independent assessors for continuous monitoring 1.1.0
Security Assessment And Authorization CA-7 (3) Trend Analyses Analyse data obtained from continuous monitoring 1.1.0
Security Assessment And Authorization CA-8 (1) Independent Penetration Agent Or Team Employ independent team for penetration testing 1.1.0
Security Assessment And Authorization CA-9 Internal System Connections Check for privacy and security compliance before establishing internal connections 1.1.0
Configuration Management CM-1 Configuration Management Policy And Procedures Review and update configuration management policies and procedures 1.1.0
Configuration Management CM-2 Baseline Configuration Configure actions for noncompliant devices 1.1.0
Configuration Management CM-2 Baseline Configuration Develop and maintain baseline configurations 1.1.0
Configuration Management CM-2 Baseline Configuration Enforce security configuration settings 1.1.0
Configuration Management CM-2 Baseline Configuration Establish a configuration control board 1.1.0
Configuration Management CM-2 Baseline Configuration Establish and document a configuration management plan 1.1.0
Configuration Management CM-2 Baseline Configuration Implement an automated configuration management tool 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Configure actions for noncompliant devices 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Develop and maintain baseline configurations 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Enforce security configuration settings 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Establish a configuration control board 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Establish and document a configuration management plan 1.1.0
Configuration Management CM-2 (2) Automation Support For Accuracy / Currency Implement an automated configuration management tool 1.1.0
Configuration Management CM-2 (3) Retention Of Previous Configurations Retain previous versions of baseline configs 1.1.0
Configuration Management CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas Ensure security safeguards not needed when the individuals return 1.1.0
Configuration Management CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas Not allow for information systems to accompany with individuals 1.1.0
Configuration Management CM-3 Configuration Change Control Conduct a security impact analysis 1.1.0
Configuration Management CM-3 Configuration Change Control Develop and maintain a vulnerability management standard 1.1.0
Configuration Management CM-3 Configuration Change Control Establish a risk management strategy 1.1.0
Configuration Management CM-3 Configuration Change Control Establish and document change control processes 1.1.0
Configuration Management CM-3 Configuration Change Control Establish configuration management requirements for developers 1.1.0
Configuration Management CM-3 Configuration Change Control Perform a privacy impact assessment 1.1.0
Configuration Management CM-3 Configuration Change Control Perform a risk assessment 1.1.0
Configuration Management CM-3 Configuration Change Control Perform audit for configuration change control 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate approval request for proposed changes 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate implementation of approved change notifications 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate process to document implemented changes 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate process to highlight unreviewed change proposals 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate process to prohibit implementation of unapproved changes 1.1.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition Of Changes Automate proposed documented changes 1.1.0
Configuration Management CM-3 (2) Test / Validate / Document Changes Establish and document change control processes 1.1.0
Configuration Management CM-3 (2) Test / Validate / Document Changes Establish configuration management requirements for developers 1.1.0
Configuration Management CM-3 (2) Test / Validate / Document Changes Perform audit for configuration change control 1.1.0
Configuration Management CM-3 (4) Security Representative Assign information security representative to change control 1.1.0
Configuration Management CM-3 (6) Cryptography Management Ensure cryptographic mechanisms are under configuration management 1.1.0
Configuration Management CM-4 Security Impact Analysis Conduct a security impact analysis 1.1.0
Configuration Management CM-4 Security Impact Analysis Develop and maintain a vulnerability management standard 1.1.0
Configuration Management CM-4 Security Impact Analysis Establish a risk management strategy 1.1.0
Configuration Management CM-4 Security Impact Analysis Establish and document change control processes 1.1.0
Configuration Management CM-4 Security Impact Analysis Establish configuration management requirements for developers 1.1.0
Configuration Management CM-4 Security Impact Analysis Perform a privacy impact assessment 1.1.0
Configuration Management CM-4 Security Impact Analysis Perform a risk assessment 1.1.0
Configuration Management CM-4 Security Impact Analysis Perform audit for configuration change control 1.1.0
Configuration Management CM-4 (1) Separate Test Environments Conduct a security impact analysis 1.1.0
Configuration Management CM-4 (1) Separate Test Environments Establish and document change control processes 1.1.0
Configuration Management CM-4 (1) Separate Test Environments Establish configuration management requirements for developers 1.1.0
Configuration Management CM-4 (1) Separate Test Environments Perform a privacy impact assessment 1.1.0
Configuration Management CM-4 (1) Separate Test Environments Perform audit for configuration change control 1.1.0
Configuration Management CM-5 Access Restrictions For Change Establish and document change control processes 1.1.0
Configuration Management CM-5 (1) Automated Access Enforcement / Auditing Enforce and audit access restrictions 1.1.0
Configuration Management CM-5 (2) Review System Changes Review changes for any unauthorized changes 1.1.0
Configuration Management CM-5 (3) Signed Components Restrict unauthorized software and firmware installation 1.1.0
Configuration Management CM-5 (5) Limit Production / Operational Privileges Limit privileges to make changes in production environment 1.1.0
Configuration Management CM-5 (5) Limit Production / Operational Privileges Review and reevaluate privileges 1.1.0
Configuration Management CM-6 Configuration Settings Enforce security configuration settings 1.1.0
Configuration Management CM-6 Configuration Settings Remediate information system flaws 1.1.0
Configuration Management CM-6 (1) Automated Central Management / Application / Verification Enforce security configuration settings 1.1.0
Configuration Management CM-6 (1) Automated Central Management / Application / Verification Govern compliance of cloud service providers 1.1.0
Configuration Management CM-6 (1) Automated Central Management / Application / Verification View and configure system diagnostic data 1.1.0
Configuration Management CM-7 Least Functionality Azure Defender for servers should be enabled 1.0.3
Configuration Management CM-8 Information System Component Inventory Create a data inventory 1.1.0
Configuration Management CM-8 Information System Component Inventory Maintain records of processing of personal data 1.1.0
Configuration Management CM-8 (1) Updates During Installations / Removals Create a data inventory 1.1.0
Configuration Management CM-8 (1) Updates During Installations / Removals Maintain records of processing of personal data 1.1.0
Configuration Management CM-8 (3) Automated Unauthorized Component Detection Enable detection of network devices 1.1.0
Configuration Management CM-8 (3) Automated Unauthorized Component Detection Set automated notifications for new and trending cloud applications in your organization 1.1.0
Configuration Management CM-8 (4) Accountability Information Create a data inventory 1.1.0
Configuration Management CM-8 (4) Accountability Information Establish and maintain an asset inventory 1.1.0
Configuration Management CM-9 Configuration Management Plan Create configuration plan protection 1.1.0
Configuration Management CM-9 Configuration Management Plan Develop and maintain baseline configurations 1.1.0
Configuration Management CM-9 Configuration Management Plan Develop configuration item identification plan 1.1.0
Configuration Management CM-9 Configuration Management Plan Develop configuration management plan 1.1.0
Configuration Management CM-9 Configuration Management Plan Establish and document a configuration management plan 1.1.0
Configuration Management CM-9 Configuration Management Plan Implement an automated configuration management tool 1.1.0
Configuration Management CM-10 Software Usage Restrictions Require compliance with intellectual property rights 1.1.0
Configuration Management CM-10 Software Usage Restrictions Track software license usage 1.1.0
Configuration Management CM-10 (1) Open Source Software Restrict use of open source software 1.1.0
Contingency Planning CP-1 Contingency Planning Policy And Procedures Review and update contingency planning policies and procedures 1.1.0
Contingency Planning CP-2 Contingency Plan Communicate contingency plan changes 1.1.0
Contingency Planning CP-2 Contingency Plan Coordinate contingency plans with related plans 1.1.0
Contingency Planning CP-2 Contingency Plan Develop and document a business continuity and disaster recovery plan 1.1.0
Contingency Planning CP-2 Contingency Plan Develop contingency plan 1.1.0
Contingency Planning CP-2 Contingency Plan Develop contingency planning policies and procedures 1.1.0
Contingency Planning CP-2 Contingency Plan Distribute policies and procedures 1.1.0
Contingency Planning CP-2 Contingency Plan Review contingency plan 1.1.0
Contingency Planning CP-2 Contingency Plan Update contingency plan 1.1.0
Contingency Planning CP-2 (1) Coordinate With Related Plans Coordinate contingency plans with related plans 1.1.0
Contingency Planning CP-2 (2) Capacity Planning Conduct capacity planning 1.1.0
Contingency Planning CP-2 (3) Resume Essential Missions / Business Functions Plan for resumption of essential business functions 1.1.0
Contingency Planning CP-2 (4) Resume All Missions / Business Functions Resume all mission and business functions 1.1.0
Contingency Planning CP-2 (5) Continue Essential Missions / Business Functions Plan for continuance of essential business functions 1.1.0
Contingency Planning CP-2 (8) Identify Critical Assets Perform a business impact assessment and application criticality assessment 1.1.0
Contingency Planning CP-3 Contingency Training Provide contingency training 1.1.0
Contingency Planning CP-3 (1) Simulated Events Incorporate simulated contingency training 1.1.0
Contingency Planning CP-4 Contingency Plan Testing Initiate contingency plan testing corrective actions 1.1.0
Contingency Planning CP-4 Contingency Plan Testing Review the results of contingency plan testing 1.1.0
Contingency Planning CP-4 Contingency Plan Testing Test the business continuity and disaster recovery plan 1.1.0
Contingency Planning CP-4 (1) Coordinate With Related Plans Coordinate contingency plans with related plans 1.1.0
Contingency Planning CP-4 (2) Alternate Processing Site Evaluate alternate processing site capabilities 1.1.0
Contingency Planning CP-4 (2) Alternate Processing Site Test contingency plan at an alternate processing location 1.1.0
Contingency Planning CP-6 Alternate Storage Site Ensure alternate storage site safeguards are equivalent to primary site 1.1.0
Contingency Planning CP-6 Alternate Storage Site Establish alternate storage site to store and retrieve backup information 1.1.0
Contingency Planning CP-6 (1) Separation From Primary Site Create separate alternate and primary storage sites 1.1.0
Contingency Planning CP-6 (2) Recovery Time / Point Objectives Establish alternate storage site that facilitates recovery operations 1.1.0
Contingency Planning CP-6 (3) Accessibility Identify and mitigate potential issues at alternate storage site 1.1.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-7 Alternate Processing Site Establish an alternate processing site 1.1.0
Contingency Planning CP-7 (1) Separation From Primary Site Establish an alternate processing site 1.1.0
Contingency Planning CP-7 (2) Accessibility Establish an alternate processing site 1.1.0
Contingency Planning CP-7 (3) Priority Of Service Establish an alternate processing site 1.1.0
Contingency Planning CP-7 (3) Priority Of Service Establish requirements for internet service providers 1.1.0
Contingency Planning CP-7 (4) Preparation For Use Prepare alternate processing site for use as operational site 1.1.0
Contingency Planning CP-8 (1) Priority Of Service Provisions Establish requirements for internet service providers 1.1.0
Contingency Planning CP-9 Information System Backup Conduct backup of information system documentation 1.1.0
Contingency Planning CP-9 Information System Backup Establish backup policies and procedures 1.1.0
Contingency Planning CP-9 Information System Backup Implement controls to secure all media 1.1.0
Contingency Planning CP-9 (3) Separate Storage For Critical Information Separately store backup information 1.1.0
Contingency Planning CP-9 (5) Transfer To Alternate Storage Site Transfer backup information to an alternate storage site 1.1.0
Contingency Planning CP-10 Information System Recovery And Reconstitution Recover and reconstitute resources after any disruption 1.1.1
Contingency Planning CP-10 (2) Transaction Recovery Implement transaction based recovery 1.1.0
Contingency Planning CP-10 (4) Restore Within Time Period Restore resources to operational state 1.1.1
Identification And Authentication IA-1 Identification And Authentication Policy And Procedures Review and update identification and authentication policies and procedures 1.1.0
Identification And Authentication IA-2 Identification And Authentication
(Organizational Users) Enforce user uniqueness 1.1.0
Identification And Authentication IA-2 Identification And Authentication
(Organizational Users) MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification And Authentication IA-2 Identification And Authentication
(Organizational Users) MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification And Authentication IA-2 Identification And Authentication
(Organizational Users) MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification And Authentication IA-2 Identification And Authentication
(Organizational Users) Support personal verification credentials issued by legal authorities 1.1.0
Identification And Authentication IA-2 (1) Network Access To Privileged Accounts Adopt biometric authentication mechanisms 1.1.0
Identification And Authentication IA-2 (1) Network Access To Privileged Accounts MFA should be enabled for accounts with write permissions on your subscription 3.0.1
Identification And Authentication IA-2 (1) Network Access To Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification And Authentication IA-2 (2) Network Access To Non-Privileged Accounts Adopt biometric authentication mechanisms 1.1.0
Identification And Authentication IA-2 (2) Network Access To Non-Privileged Accounts MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification And Authentication IA-2 (3) Local Access To Privileged Accounts Adopt biometric authentication mechanisms 1.1.0
Identification And Authentication IA-2 (5) Group Authentication Require use of individual authenticators 1.1.0
Identification And Authentication IA-2 (11) Remote Access - Separate Device Adopt biometric authentication mechanisms 1.1.0
Identification And Authentication IA-2 (11) Remote Access - Separate Device Identify and authenticate network devices 1.1.0
Identification And Authentication IA-2 (12) Acceptance Of Piv Credentials Support personal verification credentials issued by legal authorities 1.1.0
Identification And Authentication IA-4 Identifier Management Assign system identifiers 1.1.0
Identification And Authentication IA-4 Identifier Management Prevent identifier reuse for the defined time period 1.1.0
Identification And Authentication IA-4 (4) Identify User Status Identify status of individual users 1.1.0
Identification And Authentication IA-5 Authenticator Management Establish authenticator types and processes 1.1.0
Identification And Authentication IA-5 Authenticator Management Establish procedures for initial authenticator distribution 1.1.0
Identification And Authentication IA-5 Authenticator Management Implement training for protecting authenticators 1.1.0
Identification And Authentication IA-5 Authenticator Management Manage authenticator lifetime and reuse 1.1.0
Identification And Authentication IA-5 Authenticator Management Manage Authenticators 1.1.0
Identification And Authentication IA-5 Authenticator Management Refresh authenticators 1.1.0
Identification And Authentication IA-5 Authenticator Management Reissue authenticators for changed groups and accounts 1.1.0
Identification And Authentication IA-5 Authenticator Management Verify identity before distributing authenticators 1.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Document security strength requirements in acquisition contracts 1.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Establish a password policy 1.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Implement parameters for memorized secret verifiers 1.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Protect passwords with encryption 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Bind authenticators and identities dynamically 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Establish authenticator types and processes 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Establish parameters for searching secret authenticators and verifiers 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Establish procedures for initial authenticator distribution 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Map authenticated identities to individuals 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Restrict access to private keys 1.1.0
Identification And Authentication IA-5 (2) Pki-Based Authentication Verify identity before distributing authenticators 1.1.0
Identification And Authentication IA-5 (3) In-Person Or Trusted Third-Party Registration Distribute authenticators 1.1.0
Identification And Authentication IA-5 (4) Automated Support For Password Strength Determination Document security strength requirements in acquisition contracts 1.1.0
Identification And Authentication IA-5 (4) Automated Support For Password Strength Determination Establish a password policy 1.1.0
Identification And Authentication IA-5 (4) Automated Support For Password Strength Determination Implement parameters for memorized secret verifiers 1.1.0
Identification And Authentication IA-5 (6) Protection Of Authenticators Ensure authorized users protect provided authenticators 1.1.0
Identification And Authentication IA-5 (7) No Embedded Unencrypted Static Authenticators Ensure there are no unencrypted static authenticators 1.1.0
Identification And Authentication IA-5 (11) Hardware Token-Based Authentication Satisfy token quality requirements 1.1.0
Identification And Authentication IA-5 (13) Expiration Of Cached Authenticators Enforce expiration of cached authenticators 1.1.0
Identification And Authentication IA-6 Authenticator Feedback Obscure feedback information during authentication process 1.1.0
Identification And Authentication IA-7 Cryptographic Module Authentication Authenticate to cryptographic module 1.1.0
Identification And Authentication IA-8 Identification And Authentication (Non- Organizational Users) Identify and authenticate non-organizational users 1.1.0
Identification And Authentication IA-8 (1) Acceptance Of Piv Credentials From Other Agencies Accept PIV credentials 1.1.0
Identification And Authentication IA-8 (2) Acceptance Of Third-Party Credentials Accept only FICAM-approved third-party credentials 1.1.0
Identification And Authentication IA-8 (3) Use Of Ficam-Approved Products Employ FICAM-approved resources to accept third-party credentials 1.1.0
Identification And Authentication IA-8 (4) Use Of Ficam-Issued Profiles Conform to FICAM-issued profiles 1.1.0
Incident Response IR-1 Incident Response Policy And Procedures Review and update incident response policies and procedures 1.1.0
Incident Response IR-2 Incident Response Training Provide information spillage training 1.1.0
Incident Response IR-2 (1) Simulated Events Incorporate simulated events into incident response training 1.1.0
Incident Response IR-2 (2) Automated Training Environments Employ automated training environment 1.1.0
Incident Response IR-3 Incident Response Testing Conduct incident response testing 1.1.0
Incident Response IR-3 Incident Response Testing Establish an information security program 1.1.0
Incident Response IR-3 Incident Response Testing Run simulation attacks 1.1.0
Incident Response IR-3 (2) Coordination With Related Plans Conduct incident response testing 1.1.0
Incident Response IR-3 (2) Coordination With Related Plans Establish an information security program 1.1.0
Incident Response IR-3 (2) Coordination With Related Plans Run simulation attacks 1.1.0
Incident Response IR-4 Incident Handling Assess information security events 1.1.0
Incident Response IR-4 Incident Handling Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for DNS should be enabled 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for servers should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-4 Incident Handling Coordinate contingency plans with related plans 1.1.0
Incident Response IR-4 Incident Handling Develop an incident response plan 1.1.0
Incident Response IR-4 Incident Handling Develop security safeguards 1.1.0
Incident Response IR-4 Incident Handling Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-4 Incident Handling Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-4 Incident Handling Enable network protection 1.1.0
Incident Response IR-4 Incident Handling Eradicate contaminated information 1.1.0
Incident Response IR-4 Incident Handling Execute actions in response to information spills 1.1.0
Incident Response IR-4 Incident Handling Implement incident handling 1.1.0
Incident Response IR-4 Incident Handling Maintain incident response plan 1.1.0
Incident Response IR-4 Incident Handling Microsoft Defender for Containers should be enabled 1.0.0
Incident Response IR-4 Incident Handling Perform a trend analysis on threats 1.1.0
Incident Response IR-4 Incident Handling Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-4 Incident Handling View and investigate restricted users 1.1.0
Incident Response IR-4 (1) Automated Incident Handling Processes Develop an incident response plan 1.1.0
Incident Response IR-4 (1) Automated Incident Handling Processes Enable network protection 1.1.0
Incident Response IR-4 (1) Automated Incident Handling Processes Implement incident handling 1.1.0
Incident Response IR-4 (2) Dynamic Reconfiguration Include dynamic reconfig of customer deployed resources<